Security Basics mailing list archives
RE: Purging Blaster.worm
From: "Alexander Suhovey" <asuhovey () mtu-net ru>
Date: Sat, 16 Aug 2003 00:49:40 +0400
As for Windows 2000 domain, you can use startup script which executes with local system rights. Btw hfnetchk it is not only tool that can help. You can check for existence of particular file, date/size/version of files or for registry paths that should be changed by worm or security patch using OS shell commands or vbs. Or you can use MS03-026 Scanning Tool as part of script. Here is the link: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID= C8F04C6C-B71B-4992-91F1-AAA785E709DA Assuming that this script should be run only once on each host, maybe it will be a better idea to make a script to use administrative shares/remote reg. and run it manually from support host. At least you will have centralized report already. Though this will probably not work for already infected and thus unstable systems. And last thing: the story does not end when you get rid of Blaster :) So I would suggest you think about some sort of Patch Management System. MS Software Update Services plus MBSA/hfnetchk/"your favorite scanner here" may be an example of easy (though limited in features) way to manage critical patches. It's free (afaik) and easy to implement and manage. http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/Tools/MBSAhome.asp Al.
-----Original Message----- From: Meidinger Chris [mailto:chris.meidinger () badenit de] Sent: Friday, August 15, 2003 4:14 PM To: 'Todd'; security-basics () securityfocus com Subject: RE: Purging Blaster.worm remember that in an NT domain your login script runs with user rights.
i don't believe that would be enough to apply a hotfix, but correct me
someone. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Original Message----- From: Todd [mailto:tod () megachump com] Sent: Thursday, August 14, 2003 7:49 PM To: security-basics () securityfocus com Subject: Re: Purging Blaster.worm Does anyone have an NT login script they've used to run the update and
symantec worm fix? I've considered putting together something that will first run HfNetChk, IF "* WINDOWS 2000 SP4\nInformation\nAll necessary hotfixes have been applied" does not exist, then run the update and wormfix. Any suggestions? -- Todd tod () megachump com
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Mark Harris (Aug 13)
- Re: Purging Blaster.worm Andreas Rothlauf (Aug 13)
- Re: Purging Blaster.worm Schneider Sebastian (Aug 13)
- Re: Purging Blaster.worm Todd (Aug 14)
- Re: Purging Blaster.worm Schneider Sebastian (Aug 14)
- RE: Purging Blaster.worm Stuart (Aug 13)
- RE: Purging Blaster.worm Andrew Hecox (Aug 14)
- Re: Purging Blaster.worm Duston Sickler (Aug 14)
- RE: Purging Blaster.worm Stuart (Aug 14)
- Re: Purging Blaster.worm Todd (Aug 14)
- RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
- RE: Purging Blaster.worm TheFueley (Aug 15)
- Re: Purging Blaster.worm Meritt James (Aug 15)
- RE: Purging Blaster.worm Stuart (Aug 16)
- Re: Purging Blaster.worm Schneider Sebastian (Aug 13)
- Re: Purging Blaster.worm Meritt James (Aug 14)
- Re: Purging Blaster.worm Meritt James (Aug 19)
- RE: Purging Blaster.worm David Gillett (Aug 19)
- Ethics Question Mike Taylor (Aug 21)
- Re: Ethics Question Adam Newhard (Aug 21)
- Re: Ethics Question Suzanne Rodday (Aug 21)
- Re: Ethics Question Sebastian Schneider (Aug 22)