spin
October 22, 2018, 7:33pm
1
The following IPs have been port scanning SMB (TCP/445) (this is windows file share port) and may well be infected by malware or viruses. Can the owners please check software they may have installed recently and run a scan for viruses.
They’ve been logged on @dizzle 's firewall trying to log into 445 (which is SMB or Windows file share port). It’s a known symptom of the WannaCry virus or similar. Some wuggers (from PTAWUG) have also noted the attacks on their anti-virus:
Thanks @dizzle for tracking down the issue. Thanks for PTAWUGgers reporting it to us also.
These will be automatically blackholed:
SMB Port Scanning (associated with various viruses like WannaCry)
I’ve implemented automatic blackholing of IPs that scan SMB ports on certain hosts. Any packet received on those ports will result in the source IP being null routed (blackholed) across CTWUG .
If you suspect you’ve been blackholed by this:
Please check if you can reach any ospf rb. If you cannot then it might be the case.https://chat.ctwug.za.net/channel/security to see if your IP is listed there. Wait there for a message that it is unbanned.
1 Like
spin
October 22, 2018, 8:14pm
2
Added two more IPs to the list above.
dizzle
October 22, 2018, 8:38pm
3
List of host names below
172.26.60.132 youknowho2.youknowho.ctwug.za.net
172.26.22.131 pc3.shaggydogza.ctwug.za.net
172.26.137.148 pc4.mafia.ctwug.za.net
172.18.115.71 snot.ctwug.za.net
172.26.148.65 pc-1.torax.ctwug.za.net
172.26.152.57 pc1.arno-3.ctwug.za.net
172.26.135.41 pc1.zerocool.ctwug.za.net
172.26.27.180 stefpc.redrbk.ctwug.za.net
172.26.31.229 stinge-pc.blinksnode.ctwug.za.net
172.26.27.189 rb2.redrbk.redrbk.ctwug.za.net
172.26.30.1 server.coms.ctwug.za.net
172.26.148.34 pc2.kleintjie.ctwug.za.net
172.26.148.33 pc1.kleintjie.ctwug.za.net
172.18.33.14 rb1.diego.ctwug.za.net, rb.johanvdb.ctwug.za.net
3 Likes
From Kfn:
172.26.22.131/32 - @shaggydogza
172.26.27.180/32 - @redrbk
172.26.30.1/32 - @Coms
172.26.31.229/32 - @Blinkfs
1 Like
Wolf
October 23, 2018, 4:24am
5
172.18.145.203 pc11.tiffie.ctwug.za.net pc1.wesa.ctwug.za.net
Also infected
redrbk
October 23, 2018, 4:32am
6
Stiaan wats dit, gee bietjie clarity asb
Refer na 1ste post in thread, devices op daai IP’s van jou is baie moontlik infected
PC’s is die likely een vir hierdie geval
Spaffy
October 23, 2018, 6:24am
10
I’ve informed snot and Arno
redrbk
October 23, 2018, 6:36am
11
Ok stiaan sal kyk vanaand
spin
October 23, 2018, 12:22pm
12
@dizzle has run a scan on one of these and it was heavily infected with multiple malwares. It was also not patched. Keep your systems up to date even if only on the wug. There are wsus servers on the wug also.
Or switch to Linux.
redrbk
October 23, 2018, 12:58pm
13
@spin , what you mean patched
BIG
October 23, 2018, 2:27pm
14
HI
did a scan all well my side
dizzle
October 23, 2018, 2:53pm
16
What do you mean complete? @Wolf
dizzle
October 23, 2018, 2:55pm
17
Patching the operating system for vulnerabilities. Patches are released by OS maintainers. Basically windows updates
1 Like
Wolf
October 23, 2018, 3:46pm
18
@dizzle Post have been updated
1 Like
let me know if there is anything else .coms and dizzle
spin i did what you asked from me . i would appreciate it if you bring me back online thank you
