MS03-026 - anyone else expending huge effort to patch?
28 July 2003, 09:01 AM
#4
Scooby Regular
29 July 2003, 09:11 AM
#6
Scooby Regular
Join Date: Jul 2003
Posts: 152
Likes: 0
Received 0 Likes
on
0 Posts
Have you guys heard about Patch deployment software?? It will automate your patching, keep a record of what level all your machines are at, check an approved database and only push out patches that have been checked not to cause further conflicts!! It sounds to good to be true but if you drop me a line I will send you out a 15 day demo disk.
www.thewestongroup.co.uk
[Edited by JR55 - 7/29/2003 10:19:29 AM]
www.thewestongroup.co.uk
[Edited by JR55 - 7/29/2003 10:19:29 AM]
31 July 2003, 12:12 PM
#7
Scooby Regular
At the moment don't bother applying this patch, there is still a vulnerability present even when it is applied, which I've been testing this morning.
Word is an updated patch from MS is on the way.
Word is an updated patch from MS is on the way.
Trending Topics
31 July 2003, 01:02 PM
#8
Scooby Regular
Join Date: Aug 2001
Location: Hampshire
Posts: 10,954
Likes: 0
Received 0 Likes
on
0 Posts
Miles,
You got anymore info on that - we're about to start applying it to our telecomms systems in the test and live environment, but if another is on its way then............
Cheers
Neil
You got anymore info on that - we're about to start applying it to our telecomms systems in the test and live environment, but if another is on its way then............
Cheers
Neil
01 August 2003, 12:17 PM
#9
Scooby Regular
I've been speaking to MS, they are evaluating another RPC vulnerability at the moment. It is recommended that that MS03-026 patch of a couple of weeks ago is applied ASAP.
12 August 2003, 08:31 AM
#11
Scooby Regular
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
YOU NEED THIS PATCH IN YOUR LIFE!
Our corporation (40,000+ worldwide) is rolling it out as essential, and there's already things exploiting the vulnerabiliy (MSBLAST).
Cheers,
Nick.
Our corporation (40,000+ worldwide) is rolling it out as essential, and there's already things exploiting the vulnerabiliy (MSBLAST).
Cheers,
Nick.
12 August 2003, 10:03 AM
#12
Scooby Senior
Thread Starter
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
<smug-mode> "Lol" ...sorry 
Deployment is easy, testing isn't!
Be aware that you need to be on W2K SP3/NT4 SP6a for the MS03-026 to work without any impact. W2K SP2 will disable COM+ functionality. If you need this, there's a registry hack which will disable DCOM instead.
There are a whole bunch of others in the pipeline too...
Richard
Deployment is easy, testing isn't!
Be aware that you need to be on W2K SP3/NT4 SP6a for the MS03-026 to work without any impact. W2K SP2 will disable COM+ functionality. If you need this, there's a registry hack which will disable DCOM instead.
There are a whole bunch of others in the pipeline too...
Richard
12 August 2003, 01:29 PM
#13
Scooby Regular
Join Date: Feb 2002
Location: Surrey
Posts: 1,038
Likes: 0
Received 0 Likes
on
0 Posts
MSBLAST - should this be allowed to access the internet or not?? I set up Norton Firewall at lunch and that was the 1st ping I got.... I allowed it. Should I have blocked it? Can I change it to be blocked now if that's what's needed?
12 August 2003, 02:11 PM
#15
Scooby Regular
Join Date: Feb 2002
Location: Surrey
Posts: 1,038
Likes: 0
Received 0 Likes
on
0 Posts
WHAT!!!! I only hooked the PC up last night!!!! It's brand spankin' new!
What do I do???
Do I do a live update of Norton Anti Virus tonight when I get home?
Typical - just my frikin' luck!
What do I do???
Do I do a live update of Norton Anti Virus tonight when I get home?
Typical - just my frikin' luck!
12 August 2003, 02:30 PM
#16
Scooby Regular
Had at least five peeps come in to me this morning saying that their PC's at home are switching off after a few minutes on the Net....LOL
This is sweeping the Internet fookin fast!
Patch away everybody....
This is sweeping the Internet fookin fast!
Patch away everybody....
12 August 2003, 02:57 PM
#17
Scooby Regular
Join Date: Jan 2002
Posts: 667
Likes: 0
Received 0 Likes
on
0 Posts
12 August 2003, 11:25 PM
#18
Scooby Regular
Microsoft now state that the W2K patch is supported on SP2 as well as SP3/SP4. 
Wonder how many corps got into applying unnecessary Service Packs....
Wonder how many corps got into applying unnecessary Service Packs....
13 August 2003, 02:05 AM
#19
Scooby Regular
Join Date: May 1999
Posts: 1,320
Likes: 0
Received 0 Likes
on
0 Posts
Ok I have it too!
My ADSL connection got screwed on Sunday (Did I get the virus then) and they asked me to turn off my firewall so the engineers could work on it.
Got home today and my pc switched itself off. So I ran Nortons Live update and it told me I had a virus.
Did a system scan and it quarantined MSBLAST.exe which I have deleted.....
Where do I go now? I'm printing off a whole load of stuff from Symantecs encyclopedia, but I'm pretty IT thick. My first questions are...
Having deleted the file have I got rid of the virus?
Having deleted MSBLAST.exe... do I need this file and can I get another copy?
I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???
My machine appears to have stopped switching off now... am I clear??
Bummer
Dave
My ADSL connection got screwed on Sunday (Did I get the virus then) and they asked me to turn off my firewall so the engineers could work on it.
Got home today and my pc switched itself off. So I ran Nortons Live update and it told me I had a virus.
Did a system scan and it quarantined MSBLAST.exe which I have deleted.....
Where do I go now? I'm printing off a whole load of stuff from Symantecs encyclopedia, but I'm pretty IT thick. My first questions are...
Having deleted the file have I got rid of the virus?
Having deleted MSBLAST.exe... do I need this file and can I get another copy?
I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???
My machine appears to have stopped switching off now... am I clear??
Bummer
Dave
13 August 2003, 09:12 AM
#21
Scooby Regular
Join Date: Feb 2002
Location: Surrey
Posts: 1,038
Likes: 0
Received 0 Likes
on
0 Posts
there may be some details on your registry that you need to get rid of - run task manager and see if MSBLAST.exe is running? If so, end the tast, and yo uneed to remove some lines from registry - detils can be found on http://www.symantec.com/avcenter/index.html
I had this virus, and got it removed last night - live update of Norton, applied the patch, and removed the lines from registry. All seems hunky dorey now
I had this virus, and got it removed last night - live update of Norton, applied the patch, and removed the lines from registry. All seems hunky dorey now
13 August 2003, 12:27 PM
#22
Scooby Regular
Having deleted the file have I got rid of the virus?
Basically, yes.
Having deleted MSBLAST.exe... do I need this file and can I get another copy?
Nope this is not filename used by any MS application.
I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???
SP1 doesn't stop the worm as such - if infected the worm will use your machine at a set date to launch a Denial of Service attack against http://www.windowsupdate.com.
My machine appears to have stopped switching off now... am I clear??
Yep, I would say so. As mike16v mentions above, there may be some crud left in the registry, but nothing serious.
Basically, yes.
Having deleted MSBLAST.exe... do I need this file and can I get another copy?
Nope this is not filename used by any MS application.
I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???
SP1 doesn't stop the worm as such - if infected the worm will use your machine at a set date to launch a Denial of Service attack against http://www.windowsupdate.com.
My machine appears to have stopped switching off now... am I clear??
Yep, I would say so. As mike16v mentions above, there may be some crud left in the registry, but nothing serious.
13 August 2003, 12:55 PM
#23
Scooby Regular
Join Date: May 1999
Posts: 1,320
Likes: 0
Received 0 Likes
on
0 Posts
Cheers Guys, got some advice from a techy guy at work as well (cost me a tropical ice lollie though)
Will look through the registry this evening.
Once again scoobynet comes through!
Dave
Will look through the registry this evening.
Once again scoobynet comes through!
Dave
13 August 2003, 01:40 PM
#24
Scooby Regular
Join Date: Dec 2002
Posts: 118
Likes: 0
Received 0 Likes
on
0 Posts
If u have installed a firewall u woudlt have been infected....
Xp also has basic build in firewall which u can turn on - my xp proxy been running fine and not been infected unlike some of my mates pcs!
Xp also has basic build in firewall which u can turn on - my xp proxy been running fine and not been infected unlike some of my mates pcs!
13 August 2003, 04:09 PM
#25
Scooby Regular
Join Date: Feb 2001
Location: Hemel Hempstead
Posts: 7,953
Likes: 0
Received 0 Likes
on
0 Posts
13 August 2003, 06:22 PM
#27
Scooby Regular
Join Date: Jun 2003
Location: A Shanty Town near you !
Posts: 547
Likes: 0
Received 0 Likes
on
0 Posts
HeHe we patched all our servers the day the vunerability was detected.. thanks to the lovegate virus 
(that was a pain)
No problems in our office, but all our off site people dont like using live update or windows update so nearly everyone of them has got the virus. (i told them to update at least twice a week !!! )
Ok so i have removed most of them, but now we are getting loads of errors being reported like "the application at 0x77ds2134 cannot read the memory at 0xds23221" ?? cant figure that one out ? it only seems to happen when any office 2000 program is loaded.
So i think it is corrupting office files as well. I will hopefully be able to disect one of the idiots laptops tomorrow so will finf out what has happened !!!
(that was a pain)No problems in our office, but all our off site people dont like using live update or windows update
so nearly everyone of them has got the virus. (i told them to update at least twice a week !!! )Ok so i have removed most of them, but now we are getting loads of errors being reported like "the application at 0x77ds2134 cannot read the memory at 0xds23221" ?? cant figure that one out ? it only seems to happen when any office 2000 program is loaded.
So i think it is corrupting office files as well. I will hopefully be able to disect one of the idiots laptops tomorrow so will finf out what has happened !!!
13 August 2003, 08:49 PM
#28
Scooby Regular
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
**** me. I've just installed IPCop and got it all running nicely...
Here's 7 mins of log...
19:32:01 INPUT ppp0 TCP 81.135.75.208 3609 81.135.66.148 135
19:32:35 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:36 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:41 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:32:43 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:33:15 INPUT ppp0 TCP 81.135.76.170 2331 81.135.66.148 135
19:33:31 INPUT ppp0 TCP 81.135.10.108 4862 81.135.66.148 135
19:37:02 INPUT ppp0 TCP 81.135.78.240 4782 81.135.66.148 135
19:37:06 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135
19:37:09 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135
Can you guess what attacks port 135?
Bloody hell... Like frickin' wildfire!
Here's 7 mins of log...
19:32:01 INPUT ppp0 TCP 81.135.75.208 3609 81.135.66.148 135
19:32:35 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:36 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:41 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:32:43 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:33:15 INPUT ppp0 TCP 81.135.76.170 2331 81.135.66.148 135
19:33:31 INPUT ppp0 TCP 81.135.10.108 4862 81.135.66.148 135
19:37:02 INPUT ppp0 TCP 81.135.78.240 4782 81.135.66.148 135
19:37:06 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135
19:37:09 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135
Can you guess what attacks port 135?
Bloody hell... Like frickin' wildfire!
13 August 2003, 10:42 PM
#29
Scooby Regular
I was round fixing a mates PC tonight, found msblast on it, cleaned it and whilst online for the 5 minutes downloading the patch it got infected again
13 August 2003, 11:12 PM
#30
Scooby Regular
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
would that explain why my Mcafee fire wall has been going nuts since Saturday?
Here is an extract from one of many Netwear logs
1 - - 195.149.1.192 Aylesbury Vale dazza
2 1 - 213.208.106.54 Aylesbury Vale
3 1 1 213.208.106.49 Aylesbury Vale lon1-8.nildram.net
4 2 1 195.149.20.105 Aylesbury Vale lon1-10.nildram.net
5 2 1 195.149.20.137 Aylesbury Vale lon1-11.nildram.net
6 1 2 213.161.78.49 Southwark 246.ge4-0.mpr1.lhr1.uk.above.net
7 3 2 208.184.231.174 Southwark so-4-1-0.cr1.lhr3.uk.above.net
8 3 2 208.184.231.146 Southwark so-0-0-0.cr2.lhr3.uk.above.net
9 4 2 64.125.31.182 New York so-7-0-0.cr2.lga1.us.above.net
10 3 3 208.184.233.65 Arlington so-1-0-0.cr2.iad1.us.mfnx.net
11 3 2 208.184.233.129 WASHINGTON D.C. so-1-0-0.cr2.dca2.us.above.net
12 4 2 64.125.30.166 San Jose so-6-3-0.mpr4.sjc2.us.above.net
13 3 3 208.185.175.162 Sunnyvale pos6-0.mpr2.pao1.us.mfnx.net
14 5 2 216.200.254.46 Sunnyvale cn-abovenet.pao1.above.net
15 6 4 202.97.51.17 BEIJING (PEKING) p-4-6-r3-i-shsh-1.cn.net
16 6 - 202.97.33.89 BEIJING (PEKING)
17 6 - 202.101.63.233 Unknown
18 6 - 202.101.63.149 Unknown
19 7 - 61.152.83.2 Shanghai
20 7 - 61.152.83.38 Shanghai
21 7 - 61.152.99.6 Shanghai
22 7 - 61.152.99.18 Shanghai
23 7 5 61.152.102.119 Shanghai branch-2-h119.sta.net.cn
Darren
Here is an extract from one of many Netwear logs
1 - - 195.149.1.192 Aylesbury Vale dazza
2 1 - 213.208.106.54 Aylesbury Vale
3 1 1 213.208.106.49 Aylesbury Vale lon1-8.nildram.net
4 2 1 195.149.20.105 Aylesbury Vale lon1-10.nildram.net
5 2 1 195.149.20.137 Aylesbury Vale lon1-11.nildram.net
6 1 2 213.161.78.49 Southwark 246.ge4-0.mpr1.lhr1.uk.above.net
7 3 2 208.184.231.174 Southwark so-4-1-0.cr1.lhr3.uk.above.net
8 3 2 208.184.231.146 Southwark so-0-0-0.cr2.lhr3.uk.above.net
9 4 2 64.125.31.182 New York so-7-0-0.cr2.lga1.us.above.net
10 3 3 208.184.233.65 Arlington so-1-0-0.cr2.iad1.us.mfnx.net
11 3 2 208.184.233.129 WASHINGTON D.C. so-1-0-0.cr2.dca2.us.above.net
12 4 2 64.125.30.166 San Jose so-6-3-0.mpr4.sjc2.us.above.net
13 3 3 208.185.175.162 Sunnyvale pos6-0.mpr2.pao1.us.mfnx.net
14 5 2 216.200.254.46 Sunnyvale cn-abovenet.pao1.above.net
15 6 4 202.97.51.17 BEIJING (PEKING) p-4-6-r3-i-shsh-1.cn.net
16 6 - 202.97.33.89 BEIJING (PEKING)
17 6 - 202.101.63.233 Unknown
18 6 - 202.101.63.149 Unknown
19 7 - 61.152.83.2 Shanghai
20 7 - 61.152.83.38 Shanghai
21 7 - 61.152.99.6 Shanghai
22 7 - 61.152.99.18 Shanghai
23 7 5 61.152.102.119 Shanghai branch-2-h119.sta.net.cn
Darren