Virus - SMB Port Scanning (Wannacry?)

Wolf · November 19, 2018, 3:25am

More popped up:

172.18.115.71 - noname.bouncer.ctwug.za.net
172.18.32.35 - pc3.randal.ctwug.za.net

razor1 · November 19, 2018, 7:24am

whats up with this > noname.bouncer.ctwug.za.net even if you do nslookups that name pops up under the DNS server

dizzle · November 19, 2018, 8:51am

This should be fixed now, he for some reason added the DNS server IP as his own IPs.

spin · November 19, 2018, 12:28pm

This ip appears to be reinfected. Been on here before. One of @Ironman clients?

spin · November 19, 2018, 12:29pm

We also had other infections from this node. If people clean their pcs they need to clean then all and patch/update them.

Shadow · November 21, 2018, 2:43pm

172.18.115.71(LABIMAGE - DNS TAG) is still trying to spread the “Wannacry”
It does seem to be a device on the Snot #8736 subnet.

YouKnoWho · November 21, 2018, 4:21pm

I see my IP 172.26.60.132 got blocked again. I did scan with Malwarebytes and Microsoft Security Essentials and no virus was found.
Can somebody please tell me what should I be looking for to get rid of this pest. Or what to use.

YouKnoWho · November 22, 2018, 3:30pm

Hi. I did install Kaspersky and did a full scan. I did find 38 pests but cant tell if it was the right ones. Can you please unblock
my Ip and see again whats cooking?
THX

Blinkfs · November 23, 2018, 6:25pm

@spin

All cleared up on my side, could you kindly unblock.

thank you.

MDE · November 26, 2018, 1:15pm

@spin

@dns:~ $ nslookup 172.26.137.146
Server:         172.18.1.1
Address:        172.18.1.1#53

146.137.26.172.in-addr.arpa     name = pc2.mafia.ctwug.za.net.

spin · November 26, 2018, 8:14pm

I’m a bit behind with this. I will clear out the list of blocked IPs and we can see what we get. Haven’t had anything on my firewall in some time.

dizzle · November 26, 2018, 8:46pm

Only been seeing 172.26.137.146 in the last 24 hours.

spin · November 27, 2018, 3:45am

OK updated block to only that IP and updated first post.

MDE · November 30, 2018, 7:13am

@spin

@Adriaan 65.13.26.172.in-addr.arpa name = adriaan1.adriaan.ctwug.za.net.

@blinksnode 229.31.26.172.in-addr.arpa name = stinge-pc.blinksnode.ctwug.za.net.

@Smurf 2.153.26.172.in-addr.arpa name = pc2.smurf.ctwug.za.net.

@redrbk 180.27.26.172.in-addr.arpa name = stefpc.redrbk.ctwug.za.net.

@Mafia 146.137.26.172.in-addr.arpa name = pc2.mafia.ctwug.za.net.

redrbk · November 30, 2018, 7:33am

Morning @spin, will fix that pc this weekend 172.26.27.180

Smurf · December 3, 2018, 3:48pm

Yes @spin PC2 smurf 153.26.172.2 scaned and virus removed

Thanks

spin · January 14, 2019, 9:37pm

I’ve added automated protection for SMB scanning (updated first post). If you scanning on such ports you are either infected by a virus or trying to find insecure shares. Either way you will be blackholed.

spin · January 15, 2019, 7:02pm

@dribbel and Randal you guys have infected hosts. I’ve upped the block to 7 days by default so next time your PCs scan they will be blocked (or I’ll block you manually if I can).

@dribbel please fix your host. rb1.dribbel2.0.ctwug.za.net / 172.26.151.214 is infected (probably a PC natting on that IP). @Naruto can you please disable route/link to @dribbel until his PC is cleared out. Can’t login there myself.

Randal connects on Cyprus that connects on @TheStalker . Can someone contact him. I’ve disabled his route.

pc1.randal.ctwug.za.net / 172.18.32.33 is infected.

dribbel · January 15, 2019, 7:36pm

Hi. Wat is dit? Wat kan ek nou doen?

spin · January 15, 2019, 7:38pm

That is infected with some virus.