Virus - SMB Port Scanning (Wannacry?)

Ironman · January 15, 2019, 8:05pm

Daar was n NAT rule op wlan1…wat ek remove het, hoop solve die issue, hy sal ook virus scan run ens

spin · January 15, 2019, 8:07pm

Die NAT rule gaan nie die virus wegvat nie Maar ja hy moet sy windows machines update en virus remove. Kan iemand hom afsit tot hy dit doen asb?

dribbel · January 15, 2019, 8:21pm

That is my rb ip… Ditz is helping… Im updating windows and anti virus. Want login on rb?

spin · January 15, 2019, 8:34pm

OK it’s probably one of your windows machines that has access to wug. The RB is probably fine.

Ironman · January 16, 2019, 5:59am

Dribbel PC is gefix…het link weer enable

spin · January 21, 2019, 3:49pm

We have another “victim”. He’s been autoblocked for a week. Looks like he was port scanning though. He seems to be targeting several port. See DPT=xxx from the logs below.

172.18.114.26 / hagor.jedoga.ctwug.za.net
Let’s say that it was a virus. But he didn’t just target SMB port 445.

Anybody know him?

A reminder that our rules state that:

Jan 19 21:15:46 centrifuge kernel: [32571413.289157] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=15689 DF PROTO=TCP SPT=57358 DPT=113 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.675666] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x00 PREC=0x20 TTL=53 ID=33069 DF PROTO=TCP SPT=46866 DPT=3389 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.720733] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=61840 DF PROTO=TCP SPT=53436 DPT=1720 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:46 centrifuge kernel: [32571413.742284] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=13638 DF PROTO=TCP SPT=38724 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:15:47 centrifuge kernel: [32571414.940294] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=3976 DF PROTO=TCP SPT=33516 DPT=995 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:16:07 centrifuge kernel: [32571435.131925] [UFW BLOCK] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=30294 DF PROTO=TCP SPT=51140 DPT=135 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 19 21:16:15 centrifuge kernel: [32571442.870485] [UFW BLOCK SMB] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.18.114.26 DST=172.18.1.11 LEN=60 TOS=0x08 PREC=0x00 TTL=53 ID=65035 DF PROTO=TCP SPT=48510 DPT=445 WINDOW=29200 RES=0x00 SYN URGP=0

You can see these “live” here:
https://chat.ctwug.za.net/channel/security?msg=W9ovjEoBMBT7CGhxq

spin · January 21, 2019, 8:12pm

@Ironman still getting hit by Dribbel from a different PC:
pc5.dribbel2.0.ctwug.za.net. / 172.26.151.213

Jan 21 19:10:01 centrifuge kernel: [32736588.470391] [UFW BLOCK SMB] IN=services OUT= MAC=52:2a:2d:58:eb:ff:ca:5f:8c:34:80:79:08:00 SRC=172.26.151.213 DST=172.18.1.11 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=14585 DF PROTO=TCP SPT=49621 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0

See: https://chat.ctwug.za.net/channel/security?msg=eJzz5uz8DyyPoSEDH

Ironman · January 21, 2019, 8:14pm

Ai, will let him know

Ironman · January 21, 2019, 8:19pm

Hulle pc is uit geplug tot ek kan oordoen en weer scan

MDE · February 8, 2019, 9:15am

Still getting hit by some infected PC’s

@Oldschool
@Adriaan
@redrbk
@laggiestrd
@Mafia

spin · February 8, 2019, 1:00pm

What is the firewall rule you are using?

MDE · February 8, 2019, 2:42pm

Just an, input TCP port 135-139,445 add to address list and drop.

laggiestrd · February 9, 2019, 4:13pm

hi pc oorgedoen virus is af dankie

spin · February 10, 2019, 1:37pm

The automated version just looks at tcp/445. On a specific IP. Might be that these didn’t scan that IP, or not that port.

Is 135-139/tcp also associated with the threat?

MDE · February 10, 2019, 1:50pm

Samba runs on TCP 139 and 445, UDP 137 and 138

My post should’ve have said 137-139,445

Stiaanm · February 10, 2019, 2:38pm

Maybe add 135 as well, RPC runs on that, plenty bugs (admittedly older) run on that…

redrbk · February 11, 2019, 7:11am

Ima do pc over tonite dont understand why defender dont wanna work good on that pc

razor1 · February 11, 2019, 8:09am

lol disable daai gemors sit anti virus op wat ook internet security in het problem solved

Stiaanm · February 11, 2019, 9:31am

Ja en nee op daai een, hang af van anitvirus package wat jy gebruik:

Meer detail: Real-World Protection Test July-November 2018 - AV-Comparatives

redrbk · February 11, 2019, 3:30pm

Nou Stu vi my antivirus