Shulou(Shulou.com)06/01 Report--

In May 2017, the blackmail virus broke out, mainly through the corresponding vulnerabilities of the windows host.

Record the process of using firewall log software to search for vulnerabilities and suspected poisoning at that time

The public network address has been invalidated

Business system loophole analysis report of a unit

Zhongqing online, May 13th (China Youth Daily, Zhongqing online reporter Pan Yuan) in response to the global outbreak of the Wannacry (Eternal Blue) blackmail worm that began on May 12, the National Network and Information Security Information Communication Center issued an emergency notification today. "some users of the Windows operating system in China have been infected. The virus is mainly spread through the SMB file sharing protocol," the report said.

At the weekend, the "Eternal Blue" virus swept the world. In order to avoid the impact of the virus on radio and television work, the maintenance personnel of our company in Wuhan urgently analyzed the loopholes in a unit's system on Saturday, May 13. The results are as follows:

1. The firewall policy is normal and the port is protected.

2. Due to the large number of intranet servers, which belong to various maintenance units, we can only check from the network level and find that one server is suspected of poisoning, and inform the responsible personnel of the server in time to inform the test results and prevention methods.

In order to prevent accidents, the company's maintenance personnel went to the site for support at the first time on May 15 to avoid the impact of the virus on the business. at the same time, it is recommended that the unit inform all maintenance units and individuals to update the patch in time and pay attention to the safety of the equipment.

The following is the prevention method of this virus and the process of our company's analysis of system vulnerabilities, and finally gives suggestions to solve the suspected poisoned servers.

1. Prevention method 1.1. Update patch

Https://technet.microsoft.com/zh-cn/library/security/MS17-010.aspx, download the patch update.

1.2. Use the firewall

Use a firewall to shut down ports such as 445135137138139 (including virtual machines)

1.3. Turn off the computer server service

In computer management, click Services to turn off or disable the "server" service.

1.4. Update antivirus software

Update the antivirus software virus database, carry out software antivirus.

two。 Vulnerability analysis 2.1. Analyze the public network mapping port

Use port scanning software to see if there are high-risk ports such as 445135137138139 in the public network port mapping.

Xiangyang Unicom 58.19.180.80swap 30, the port scan results are as follows:

(figure: Xiangyang Unicom port scan results)

It can be seen that there is no loophole port in Xiangyang Unicom public network external mapping port.

The scan results of port 30 of Shanghai Fuya Public Network 1.82.184.76 are as follows:

(photo: scanning results of Shanghai Fuya Public Network Port)

It can be seen that there are no vulnerable ports in the external mapping port of Shanghai Fuya public network.

2.2. Destination traffic analysis

Query the private network traffic from May 11 to May 13 in the last 3 days to see if there is any traffic with suspected source and destination addresses.

Check the ranking of public network access destination traffic within three days to see if there is any abnormal traffic using port tcp 445136137138139.

(figure: destination address traffic view 1)

(figure: destination address traffic view 2)

According to the analysis, no traffic using high-risk ports has been found in the last three days.

2.3. Source flow analysis

Query the private network traffic from May 11 to May 13 in the last 3 days to see if there is any traffic with suspected source and destination addresses.

(figure: source traffic analysis 1)

It can be seen that there is no abnormal source address traffic.

2.4. Application analysis

Inquire about the application of intranet from May 11 to May 13 in the last 3 days.

(figure: application View 1)

View the applications used on port tcp 445136137138139:

(figure: view the application of high-risk ports)

It can be seen that there is no application of tcp 445136137138139 port.

2.5. View policy traffic for SMB services

Inquire about the intranet protocol SMB from May 11 to May 13 in the last 3 days.

(figure: SMB protocol usage)

(figure: 172.31.215.4 using SMB protocol)

It can be seen that the host SMB protocol with IP 172.31.215.4 is turned on and port 445 is used. The target address is various addresses abroad, such as the United States, Japan, the United Kingdom and so on. It is basically judged that there are suspected signs of 172.31.215.4 in the intranet.

(figure: 172.31.215.4 login interface)

Although the host uses SMB service to send traffic, it is blocked and restricted by firewall policy, which does not affect the security of the intranet.

(figure: 172.31.215.4 Host MAC address is 00-ff-0b-80-b9-89)

(figure: mac address query information)

3. Conclusion

1) 172.31.215.4 there are signs of vulnerability, sending SMB services crazily.

2) No other signs of vulnerabilities have been found in the private network

3) the firewall policy prevents the influence of the virus.

4) 172.31.215.4 the MAC address of this host is 00-ff-0b-80-b9-89

5) it can be judged that the host has been used for a long time.

4. Suggest a solution

172.31.215.4 this host is not a virtual machine, but an actual server, and the user is the network information department, which is presumed to be the network management server of the transmission equipment.

The situation of the server is unknown, is not registered in our maintenance list, and does not know the account password.

Log in to the server, check for viruses and update patches.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.