Virus - SMB Port Scanning (Wannacry?)

Network Network Notices
67

We have another “victim”. He’s been autoblocked for a week. Looks like he was port scanning though. He seems to be targeting several port. See DPT=xxx from the logs below.

172.18.114.26 / hagor.jedoga.ctwug.za.net
Let’s say that it was a virus. But he didn’t just target SMB port 445.

Anybody know him?

A reminder that our rules state that:

Jan 19 21:15:46 centrifuge kernel: [32571413.289157] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=15689 DF PROTO=TCP SPT=57358 DPT=113 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.675666] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x00 PREC=0x20 TTL=53 ID=33069 DF PROTO=TCP SPT=46866 DPT=3389 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.720733] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=61840 DF PROTO=TCP SPT=53436 DPT=1720 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.742284] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=13638 DF PROTO=TCP SPT=38724 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:47 centrifuge kernel: [32571414.940294] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=3976 DF PROTO=TCP SPT=33516 DPT=995 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:16:07 centrifuge kernel: [32571435.131925] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=30294 DF PROTO=TCP SPT=51140 DPT=135 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:16:15 centrifuge kernel: [32571442.870485] [UFW BLOCK SMB] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=65035 DF PROTO=TCP SPT=48510 DPT=445 WINDOW=29200 RES=0x00 SYN URGP=0

You can see these “live” here:
https://chat.ctwug.za.net/channel/security?msg=W9ovjEoBMBT7CGhxq