尊敬的用户,您好!
NSA批量windows漏洞利用工具泄露,其中windows 多个版本受到影响,危害严重,请及时更新补丁包并进行防御措施。
影响范围
Windows 2012
Windows 2008
Windows 2008 R2
Windows 2003(域环境)
Windows 2003 R2(域环境)
Windows 7
Windows XP
Windows NT
windows Vista
Windows 2000
……
修复方案
1. 官方已经发布部分漏洞的补丁包,请及时修复,其中补丁包括:
MS17-010、MS10-061、MS14-068、MS09-050、MS08-067、CVE-2017-0146 、 CVE-2017-0147;
2.使用防火墙临时关闭或过滤 135、137、139、445和3389远程桌面服务端口;
保存以下内容为bat格式,使用管理员权限运行:
@echo off mode con: cols=85 lines=30 :NSFOCUSXA title WannaCry勒索病毒安全加固工具 color 0A cls echo. echo. echo ----------------------- WannaCry勒索病毒安全加固工具 -------------------------- echo. echo. echo * WannaCry勒索软件可加密硬盘文件,受害者必须支付高额赎金才有可能解密恢复,安 echo 全风险高,影响范围广! echo. echo * 网络层面:建议边界防火墙阻断445端口的访问,可通过IPS、防火墙相关安全设备配 echo 置相关阻断策略。 echo. echo * 终端层面:暂时关闭Server服务,使用命令"netstat -ano | findstr ":445"",确保 echo 关闭445端口,建议在微软官网下载MS17-010补丁,选择对应的版本进行补丁安装,补 echo 丁下载地址:http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598。 echo. echo * 必须以系统管理员身份运行,以下提供此工具所做的操作的介绍: echo. echo 1:WIN7加固 2:WIN10加固 3:WIN2003加固 4:WIN2008加固 5:WIN2012加固 echo 6.WIN2016加固 echo. echo 7: 退出 echo echo echo echo --------------------------------------------------------------------------------- echo. set start= set /p start= 输入(1 2 3 4 5 6)后按回车键: if "%start%"=="1" goto WIN7 if "%start%"=="2" goto WIN10 if "%start%"=="3" goto WIN2003 if "%start%"=="4" goto WIN2008 if "%start%"=="5" goto WIN2012 if "%start%"=="6" goto WIN2016 if "%start%"=="7" goto quit goto NSFOCUSXA :WIN7 net stop server /Y > nul sc config lanmanserver start= disabled netsh advfirewall set currentprofile state on > nul netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul echo --------------------------------------------------------------------------------- echo * Windows 7系统加固命令执行完毕! echo . pause goto NSFOCUSXA :WIN10 net stop server > nul sc config lanmanserver start= disabled netsh firewall set opmode enable > nul netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul echo --------------------------------------------------------------------------------- echo * Windows 10系统加固命令执行完毕! echo . pause goto NSFOCUSXA :WIN2003 net stop server > nul net start sharedaccess > nul sc config lanmanserver start= disabled netsh firewall add portopening protocol = ALL port = 445 name = DenyEquationTCP mode = DISABLE scope = ALL profile = ALL > nul echo --------------------------------------------------------------------------------- echo * Windows Server 2003系统加固命令执行完毕! echo . pause goto NSFOCUSXA :WIN2008 net stop server /Y > nul sc config lanmanserver start= disabled netsh advfirewall set currentprofile state on > nul netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul echo --------------------------------------------------------------------------------- echo * Windows Server 2008系统加固命令执行完毕! echo . pause goto NSFOCUSXA :WIN2012 net stop server > nul net start MpsSvc > nul sc config lanmanserver start= disabled netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul echo --------------------------------------------------------------------------------- echo * Windows Server 2012系统加固命令执行完毕! echo . pause goto NSFOCUSXA :WIN2016 net stop server > nul sc config lanmanserver start= disabled netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul echo --------------------------------------------------------------------------------- echo * Windows Server 2016系统加固命令执行完毕! echo . pause goto NSFOCUSXA
以上内容没有关于3389的操作部分,因为禁止后会导致RDP断开,请使用这个工具修改3389端口 http://down.80host.com/3389.exe
3、使用两步验证程序,比如 www.duo.com 等。
漏洞详情
Shadow Brokers 泄露出多个 Windows 远程漏洞利用工具,其中漏洞攻击范围覆盖大量的 Windows 服务器,并且任何人都可以直接下载并实施远程攻击利用,此次事件影响巨大。
参考链接
http://thehackernews.com/2017/04/swift-banking-hacking-tool.html?utm_source=tuicool&utm_medium=referral
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/?from=timeline&isappinstalled=0
https://github.com/misterch0c/shadowbroker/
80host
2017-04-28
Freitag, April 28, 2017
Powered by WHMCompleteSolution