Reply to post: Re: It appears the source IP address is...

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

bombastic bob Silver badge
Boffin

Re: It appears the source IP address is...

scanning port 445, which SHOULD be blocked at the firewall. but apparently is NOT.

According to THIS web site, the worm in question scans for vulnerabilities on port 445. This is an old problem which most net-savvy people BLOCK for incoming packets of any type. Yes, you do NOT want "teh intarwebs" accessing your SMB ports. EVAR.

So it looks like blocking those SMB ports (445, 139) from "teh intarwebs", and (potentially) blocking SMBv1 access on your network PERIOD, are 2 ways of mitigating this problem.

some technical info here:

https://www.hackbusters.com/news/stories/1532486-player-3-has-entered-the-game-say-hello-to-wannacry

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019