RE: Purging Blaster.worm
From: Alexander Suhovey (asuhovey_at_mtu-net.ru)
Date: 08/15/03
- Previous message: Dan Duplito: "Re: Personal Firewall Recommendations"
- In reply to: Todd: "Re: Purging Blaster.worm"
- Next in thread: TheFueley: "RE: Purging Blaster.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Todd'" <tod@megachump.com>, <security-basics@securityfocus.com> Date: Sat, 16 Aug 2003 00:49:40 +0400
As for Windows 2000 domain, you can use startup script which executes
with local system rights.
Btw hfnetchk it is not only tool that can help. You can check for
existence of particular file, date/size/version of files or for registry
paths that should be changed by worm or security patch using OS shell
commands or vbs.
Or you can use MS03-026 Scanning Tool as part of script. Here is the
link:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
C8F04C6C-B71B-4992-91F1-AAA785E709DA
Assuming that this script should be run only once on each host, maybe it
will be a better idea to make a script to use administrative
shares/remote reg. and run it manually from support host. At least you
will have centralized report already. Though this will probably not work
for already infected and thus unstable systems.
And last thing: the story does not end when you get rid of Blaster :) So
I would suggest you think about some sort of Patch Management System. MS
Software Update Services plus MBSA/hfnetchk/"your favorite scanner here"
may be an example of easy (though limited in features) way to manage
critical patches.
It's free (afaik) and easy to implement and manage.
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/tools/Tools/MBSAhome.asp
Al.
> -----Original Message-----
> From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
> Sent: Friday, August 15, 2003 4:14 PM
> To: 'Todd'; security-basics@securityfocus.com
> Subject: RE: Purging Blaster.worm
>
> remember that in an NT domain your login script runs with user rights.
> i don't believe that would be enough to apply a hotfix, but correct me
> someone.
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Original Message-----
> From: Todd [mailto:tod@megachump.com]
> Sent: Thursday, August 14, 2003 7:49 PM
> To: security-basics@securityfocus.com
> Subject: Re: Purging Blaster.worm
>
>
> Does anyone have an NT login script they've used to run the update and
> symantec worm fix?
>
> I've considered putting together something that will first run
> HfNetChk, IF
> "* WINDOWS 2000 SP4\nInformation\nAll necessary hotfixes have been
> applied" does not exist, then run the update and wormfix.
>
> Any suggestions?
>
> --
> Todd
> tod@megachump.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Dan Duplito: "Re: Personal Firewall Recommendations"
- In reply to: Todd: "Re: Purging Blaster.worm"
- Next in thread: TheFueley: "RE: Purging Blaster.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
