That’s pretty amazing. They should be blocked inbound and outbound. Blaster worm was like 13 years ago? At that time, if you connected a brand new Windows computer to a non firewalled Internet connection, it would be infected within seconds, before you could run Windows Update.
I also remember people would get these little system notification windows popping up on their screen. I think we used to block port 1434 due to the MS SQL Slammer worm, I forget how long ago we stopped that. From: Zach Underwood Sent: Monday, September 19, 2016 11:50 AM To: af@afmug.com Subject: Re: [AFMUG] everyone should be blocking SMB ports My work has its own IP address and get upstream from atnt and charter. The smb ports are not blocked. Zach Underwood (RHCE,RHCSA,RHCT,UACA) http://ZachUnderwood.me advance-networking.com On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> wrote: Cable/Telco probably. WISP? I dunno... Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote: i think everyone has been blocking those ports since 1998-ish (or at least you should be) -sean On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com> wrote: This was written from the view point of windows AD setup can affect home users too since MS makes people use MS live accounts to log in to windows. Problem: Outside servers can get username/domain/password hash. Once a remote server has the login info they could connect to VPN, Office365 or an other service that using AD domain user info. See attachment for example. I got the example from a VM with a test account on it. Details: Microsoft based browsers like IE and Edge can be induced to make a outbound smb connection to a remote server. In this connection Microsoft will send over username, domain, and password hash. The remote server then can do a decryption of the password hash using brute force, password, dictionary and rainbow tables. Fix: The fastest way to stop this is to block all of the smb networks ports on the edge firewall for incoming and outgoing. The ports are 137-138udp, 137tcp,139tcp, 445tcp Sources: http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/ Testing site: https://msleak.perfect-privacy.com/ -- Zach Underwood (RHCE,RHCSA,RHCT,UACA) My website advance-networking.com
