R
R
Roman Sokolov2017-06-10 17:56:06
Malware
Roman Sokolov, 2017-06-10 17:56:06

What steps to take when dealing with the consequences of hacking through the Eternalblue exploit?

Good afternoon community.
Despite the past hype around CPU miners and ransomware exploiting vulnerabilities in OSs that are not updated by users, I would still like to hear the opinions of experts on how to get rid of the consequences of hacking.
Now usually the sequence is as follows:
1. We connect to the machine locally, turn off the network.
1. The loaded CPU miner monitors the opening of the task manager, so you can calculate it using PowerShell. After executing the Get-Process command, we look at who loads the system, then we are already looking for the necessary files in the file system and deleting them (if this is definitely not the right running process).
2. We check the presence of "left" working services, stop, transfer to the "Disabled" state, look in the properties from where it starts, delete it.
3. Optionally, if the file appears again during deletion and it has not yet been possible to determine who creates it: in the properties of the file or directory, go to the "Security" tab, prohibit reading, writing, execution for all users and the system.
4. Windows Firewall - add a rule to block incoming connections. Port 445 and it seems to be 135 or 139 (if SMB is required for work, after installing updates, I think this rule can be removed).
5. Install at least security update MS-17-010. You can download from another computer and install locally.
6. We check the system with an antivirus.
7. I also noticed that a guest account is activated on all hacked machines - disable it.
8. Change the passwords of all users and the administrator.
The real question is: how do you solve this problem? What else can you advise so that after a hack is detected, the server is not re-infected through this vulnerability or the backdoors installed by the hacker?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question