尊敬的用户,您好!

NSA批量windows漏洞利用工具泄露,其中windows 多个版本受到影响,危害严重,请及时更新补丁包并进行防御措施。

 

影响范围

Windows 2012

Windows 2008

Windows 2008 R2

Windows 2003(域环境)

Windows 2003 R2(域环境)

Windows 7

Windows XP

Windows NT

windows Vista

Windows 2000

……

 

修复方案

1. 官方已经发布部分漏洞的补丁包,请及时修复,其中补丁包括:

MS17-010、MS10-061、MS14-068、MS09-050、MS08-067、CVE-2017-0146 、 CVE-2017-0147;

2.使用防火墙临时关闭或过滤 135、137、139、445和3389远程桌面服务端口;

 保存以下内容为bat格式,使用管理员权限运行:

@echo off
mode con: cols=85 lines=30
:NSFOCUSXA
title  WannaCry勒索病毒安全加固工具  
color 0A
cls
echo.                   
echo.                      
echo -----------------------  WannaCry勒索病毒安全加固工具  --------------------------
echo.                                                                         
echo.       
echo    * WannaCry勒索软件可加密硬盘文件,受害者必须支付高额赎金才有可能解密恢复,安
echo      全风险高,影响范围广!
echo.                                                                     
echo    * 网络层面:建议边界防火墙阻断445端口的访问,可通过IPS、防火墙相关安全设备配
echo      置相关阻断策略。    
echo.
echo    * 终端层面:暂时关闭Server服务,使用命令"netstat -ano | findstr ":445"",确保
echo      关闭445端口,建议在微软官网下载MS17-010补丁,选择对应的版本进行补丁安装,补
echo      丁下载地址:http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598。        
echo.     
echo    * 必须以系统管理员身份运行,以下提供此工具所做的操作的介绍:
echo.
echo       1:WIN7加固 2:WIN10加固 3:WIN2003加固 4:WIN2008加固 5:WIN2012加固
echo       6.WIN2016加固          
echo.  
echo       7: 退出                                                              
echo                                                                             
echo                                                       
echo                                                                  
echo ---------------------------------------------------------------------------------
echo.
set start=
set /p start=    输入(1 2 3 4 5 6)后按回车键:
if "%start%"=="1" goto WIN7
if "%start%"=="2" goto WIN10
if "%start%"=="3" goto WIN2003
if "%start%"=="4" goto WIN2008
if "%start%"=="5" goto WIN2012
if "%start%"=="6" goto WIN2016
if "%start%"=="7" goto quit
goto NSFOCUSXA

:WIN7
net stop server /Y > nul
sc config lanmanserver start= disabled
netsh advfirewall set currentprofile state on > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows 7系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN10
net stop server > nul
sc config lanmanserver start= disabled
netsh firewall set opmode enable > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows 10系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2003
net stop server > nul
net start sharedaccess > nul
sc config lanmanserver start= disabled
netsh firewall add portopening protocol = ALL port = 445 name = DenyEquationTCP mode = DISABLE scope = ALL profile = ALL > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows Server 2003系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA

:WIN2008
net stop server /Y > nul
sc config lanmanserver start= disabled
netsh advfirewall set currentprofile state on > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows Server 2008系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA

:WIN2012
net stop server > nul
net start MpsSvc > nul
sc config lanmanserver start= disabled
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows Server 2012系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2016
net stop server > nul
sc config lanmanserver start= disabled
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo    *  Windows Server 2016系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA

以上内容没有关于3389的操作部分,因为禁止后会导致RDP断开,请使用这个工具修改3389端口 http://down.80host.com/3389.exe

3、使用两步验证程序,比如 www.duo.com 等。

漏洞详情

Shadow Brokers 泄露出多个 Windows 远程漏洞利用工具,其中漏洞攻击范围覆盖大量的 Windows 服务器,并且任何人都可以直接下载并实施远程攻击利用,此次事件影响巨大。

参考链接

http://thehackernews.com/2017/04/swift-banking-hacking-tool.html?utm_source=tuicool&utm_medium=referral

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/?from=timeline&isappinstalled=0

https://github.com/misterch0c/shadowbroker/

 

80host
2017-04-28



Friday, April 28, 2017

« 返回

Powered by WHMCompleteSolution