back to article Yo, patch that because scum still wanna exploit WannaCrypt-linked vuln

Vulnerable Windows Server Message Block (SMB) shares central to last week's WannaCrypt outbreak are still widely deployed and frequently hunted, security researchers warn. Rapid7 found over a million internet-connected devices that expose SMB on port 445. Of those, more than 800,000 run Windows, and – given that these are …

  1. Ken Hagan Gold badge

    It's worth following the link in the article

    Rapid7 have some nice graphs showing what and where. It seems that Server 2008 R2 (with only service pack 1) accounts for about half of all directly connected Windows boxes.

    That perhaps isn't surprising, until you realise that these are the subset of Windows boxes that have a completely clueless owner port 445 open.

    1. bombastic bob Silver badge
      Unhappy

      Re: It's worth following the link in the article

      "clueless owner" might be dial-up connections. people still use them occasionally. OK it's impossible to use anything "the cloud" over dial-up, but you can still get e-mail and browse SOME web sites that way.

      /me had to do the 'dialup' thing last year when my connection was down, bad copper, phone company finally replaced it, took several outages before they just ran me a new line from end to end. Web mail is IMPOSSIBLE to read due to excessive CDNs and scripting [thanks Micro-shaft, for screwing up hotmail], so you basically can't do it without a POP mail client. But the 90's called and it still "works".

      1. Loyal Commenter Silver badge

        Re: It's worth following the link in the article

        Even if you're using dial-up, why would you have port 445 open as an incoming port, to the entire internet? Unless you're serving material to the internet, why do you have any incoming ports open?

    2. Roland6 Silver badge

      Re: It's worth following the link in the article

      >It seems that Server 2008 R2 (with only service pack 1) accounts for about half of all directly connected Windows boxes.

      Shame no further information, I suspect the majority of these are Windows SBS 2008. Which would explain why they are more likely to be visible to the Internet and have SMB services enabled...

      Not got a WinSBS2008 CD, but I wonder if a default install automatically opens a web facing SMB port...

      Good thing WS2008 is still in support, now whether all those machines have auto-update enabled...

      1. Paul Crawford Silver badge

        Re: It's worth following the link in the article

        I was more surprised to see 1k machines with W2K on them exposed to t'Internet for all and sundry to have a go. Wonder how many will still be working by next week?

      2. Adam JC

        Re: It's worth following the link in the article

        I've been doing this job for 10 years and I've never, EVER opened port 445/SMB for a client. 80, 443 (RWW on SBS/OWA on 443) and 25 for mail, *perhaps* 993/995 for secure IMAP/POP with the odd CCTV system here/there but absolutely certainly no SMB! I can't fathom ever opening this port externally for any possible reason!

    3. Wensleydale Cheese
      Unhappy

      Is Windows Home Server 2011 one of the culprits?

      "Rapid7 have some nice graphs showing what and where. It seems that Server 2008 R2 (with only service pack 1) accounts for about half of all directly connected Windows boxes."

      The setup of Windows Home Server 2011, (a hobbled version of Server 2008 R2) recommended opening up UPnP on your router.

  2. adam payne

    "Vulnerable Windows Server Message Block (SMB) shares central to last week's WannaCrypt outbreak are still widely deployed and frequently hunted, security researchers warn."

    I would have though that would be obvious.

    Every scum bag with a computer is going to be out in force with this one.

    1. Anonymous Coward
      Big Brother

      Re: Every scum bag...

      Unlike the scumbags who where hoarding these vulnerabilities in the first place...

  3. Doctor_Wibble
    Trollface

    Phew that was close

    Lucky they notified everybody before publishing that list then, eh.

  4. Alister

    I fail to understand not just why, but how, there are so many windows machines with SMB open to the internet.

    If some home user puts a server on their broadband, then that doesn't automatically open that port, you would have to consciously add port-forwarding rules for it.

    Conversely, I find it difficult to believe that any business would attach a server to the internet without some form of firewall controlling access, and again there must have been a conscious decision to allow SMB out of the network.

    This is not something that happens by mistake, nor is it default behaviour, so what the hell are people thinking who configure stuff like this?

    1. Baldrickk

      Re: Why but how?

      I would guess that these are either mostly businesses, probably small ones, and this was an easy way to make files accessable from home/client sites etc, or somthing going on with UPnP which could open the ports if requested.

      I haven't looked into whether Windows smb can open ports via UPnP though. As a general rule, disabling it is one of the first steps to securing your LAN - you want to know what ports you are exposing to the world, and it's easier to track when they are not being opened automatically on request from whatever applications are being run.

    2. bombastic bob Silver badge
      Boffin

      "I fail to understand not just why, but how, there are so many windows machines with SMB open to the internet."

      a) dialup

      b) clueless user with old-style "everybody gets a static IP" setup [there may still be a few out there]

      c) cable or DSL modems that aren't NAT routers

      d) someone set up IPv6 on a windows box, thinking "new, shiny", and it now acts like an un-firewalled connection because it's NOT behind a NAT barrier

      And, FYI, it does NOT have to be 'a server'. All windows workstations (since '95 ?) would open up port 445, particularly XP, and it's basically "windows file sharing".

      I wonder how many of those open 445 ports were on IPv6 addresses but firewalled on IPv4?

      1. Anonymous Coward
        Anonymous Coward

        >"I fail to understand not just why, but how, there are so many windows machines with SMB open to the internet."

        Not internet facing, but went through this kind of exercise 18 months ago for a large client. Turns out we couldn't turn off SSLv2 (or v3) or SMB not because of the Windows estate but because of all the legacy non-Windows applications still using them. We submitted a change, disabled what we wanted to and caused a *lot* of critical incidents due to poorly written applications. They were also using one Windows Domain Controller (out of ~20) for authentication as a single point of failure too.

        Nothing we did or said would convince the management to make any changes to those legacy systems so we could never really secure the Windows servers as we wanted to.

    3. cyberdemon Silver badge
      Devil

      UPnP maybe?

      The same thought struck me, too. Nobody would knowingly expose SMB to the internet, surely.

      I don't know, but maybe there are software nasties out there which are mapping SMB ports via UPnP? Apparently it can be done from javascript, so maybe some web browsers will allow a web page to create port mappings without your knowledge?

      On my BT router, UPnP is enabled by default and allows applications to map any port they like through the firewall. I can disable UPnP, but there is no way that I know of to list the services that are being forwarded.

      There ought to be a WPS-style button press or web confirmation needed to allow programs to map ports with UPnP.

    4. John Brown (no body) Silver badge

      "I fail to understand not just why, but how, there are so many windows machines with SMB open to the internet."

      I wonder how many are groups of kids where the one who is the "computer expert" discovered a how-to on the web to "secretly and privately" share files with their friends.

  5. slimshady76

    Metasploit isnt a pen-testing sofware

    ...it's an exploit framework. It's like calling those DoS-for-hire scumbags "network stressers".

    1. Tabor

      Re: Metasploit isnt a pen-testing sofware

      Po-tay-to, po-tah-to. I have used Metasploit for pentesting, and have used DOS-tools for performace testing. IMHO any sysadmin worth the name should have these in their toolkit.

    2. thegroucho
      Trollface

      Re: Metasploit isnt a pen-testing sofware

      I can use hammer to drive a nail into a plank.

      Said hammer can be used to smash my thumb while driving the nail into the plank.

      Or vandalise a windscreen.

      Possibilities are endless.

      1. My Alter Ego

        Re: Metasploit isnt a pen-testing sofware

        I find that using a hammer to drive in self tapping screws is a very effective workout...

  6. J.G.Harston Silver badge

    I have all my ports blocks and manually enable them when an application I recognise and trust tries to use a port. I haven't noticed any odd port requests, but then I haven't run any email executables either.

  7. thegroucho
    Big Brother

    Overkill

    Some days I think it is an overkill to use various zones on my HOME firewall, other days I think my network is not protected well enough.

    Makes me wonder if some people understand the meaning of the word/expression ANY in relation to firewalls.

    (Stateful inspection, ergo the 'Big brother is watching you icon.)

    1. My Alter Ego

      Re: Overkill

      At a DefCon conference Jason E Street had a really good talk on the biggest mistakes​ he made because he felt that every DefCon talk is about "how great I am". At the end he asked people to say what the biggest mistakes they made were.

      One guy said "I left off the 3 in 32 when typing a firewall rule", to a massive applause and laughter. Jason's response was asking the lines of "I think we'll leave it there, I don't think that can be beaten"

      For those that are unfamiliar with him, "Steal Everything, Kill Everyone, Cause Total Financial Ruin!" is a fantastic introduction.

      https://m.youtube.com/watch?v=8esU0G5zlRU

      1. Daniel Garcia 2

        Re: Overkill

        32 or 23 ?

        Because if it is 23 then i get what was funny.

        1. Rich 11

          Re: Overkill

          32 or 23 ?

          32, if it's a netmask.

  8. SarkyGit

    Is this not an internal issue?

    Is it not the case..

    User clicks something they shouldnt, this kicks it all off internally.

    I once worked for a large company and you could physically see the thing spread from one side of the building to the other as heads popped up from partitions. That was back in about 2005 and I'm pretty sure it was Windows SMB that was used to spread that too.

    So internally the NHS may well have everything opened between sites, hence they were worst hit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like