ScoobyNet.com - Subaru Enthusiast Forum

ScoobyNet.com - Subaru Enthusiast Forum (https://www.scoobynet.com/)
-   Computer & Technology Related (https://www.scoobynet.com/computer-and-technology-related-34/)
-   -   MS03-026 - anyone else expending huge effort to patch? (https://www.scoobynet.com/computer-and-technology-related-34/233956-ms03-026-anyone-else-expending-huge-effort-to-patch.html)

dowser 26 July 2003 06:01 PM

Any other large corporate's keen to patch against this one? :)

Richard

Miles 27 July 2003 11:00 PM

Yep we are. 17000+ machines worldwide, ugh. Not fun.

dowser 28 July 2003 05:22 AM

So few ;)

Miles 28 July 2003 09:01 AM

I notice that www.eeye.com have released a free RPC DCOM Vulnerability Scanner....

dowser 28 July 2003 03:46 PM

Thanks!

JR55 29 July 2003 09:11 AM

Have you guys heard about Patch deployment software?? It will automate your patching, keep a record of what level all your machines are at, check an approved database and only push out patches that have been checked not to cause further conflicts!! It sounds to good to be true but if you drop me a line I will send you out a 15 day demo disk.

www.thewestongroup.co.uk



[Edited by JR55 - 7/29/2003 10:19:29 AM]

Miles 31 July 2003 12:12 PM

At the moment don't bother applying this patch, there is still a vulnerability present even when it is applied, which I've been testing this morning.

Word is an updated patch from MS is on the way.

ScoobyJawa 31 July 2003 01:02 PM

Miles,

You got anymore info on that - we're about to start applying it to our telecomms systems in the test and live environment, but if another is on its way then............

Cheers
Neil

Miles 01 August 2003 12:17 PM

I've been speaking to MS, they are evaluating another RPC vulnerability at the moment. It is recommended that that MS03-026 patch of a couple of weeks ago is applied ASAP.

Miles 12 August 2003 07:56 AM

Definitely now a tangible reason to deploy the patch ;)

chiark 12 August 2003 08:31 AM

YOU NEED THIS PATCH IN YOUR LIFE!

Our corporation (40,000+ worldwide) is rolling it out as essential, and there's already things exploiting the vulnerabiliy (MSBLAST).

Cheers,
Nick.

dowser 12 August 2003 10:03 AM

<smug-mode> "Lol" ...sorry :)

Deployment is easy, testing isn't!

Be aware that you need to be on W2K SP3/NT4 SP6a for the MS03-026 to work without any impact. W2K SP2 will disable COM+ functionality. If you need this, there's a registry hack which will disable DCOM instead.

There are a whole bunch of others in the pipeline too...

Richard

mike16v 12 August 2003 01:29 PM

MSBLAST - should this be allowed to access the internet or not?? I set up Norton Firewall at lunch and that was the 1st ping I got.... I allowed it. Should I have blocked it? Can I change it to be blocked now if that's what's needed?

chiark 12 August 2003 02:07 PM

Mike.

You've got the virus.

mike16v 12 August 2003 02:11 PM

WHAT!!!! I only hooked the PC up last night!!!! It's brand spankin' new!

What do I do??? :(

Do I do a live update of Norton Anti Virus tonight when I get home?

Typical - just my frikin' luck!

Dr Hu 12 August 2003 02:30 PM

Had at least five peeps come in to me this morning saying that their PC's at home are switching off after a few minutes on the Net....LOL

This is sweeping the Internet fookin fast!

Patch away everybody....

Andrewza 12 August 2003 02:57 PM

Supposedly it'll DDoS windowsupdate.com on the 16th http://www.theinquirer.net/?article=10986

Miles 12 August 2003 11:25 PM

Microsoft now state that the W2K patch is supported on SP2 as well as SP3/SP4. :rolleyes:

Wonder how many corps got into applying unnecessary Service Packs....

Dave P 13 August 2003 02:05 AM

Ok I have it too!

My ADSL connection got screwed on Sunday (Did I get the virus then) and they asked me to turn off my firewall so the engineers could work on it.

Got home today and my pc switched itself off. So I ran Nortons Live update and it told me I had a virus.

Did a system scan and it quarantined MSBLAST.exe which I have deleted.....

Where do I go now? I'm printing off a whole load of stuff from Symantecs encyclopedia, but I'm pretty IT thick. My first questions are...

Having deleted the file have I got rid of the virus?

Having deleted MSBLAST.exe... do I need this file and can I get another copy?

I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???

My machine appears to have stopped switching off now... am I clear??

Bummer

Dave

Dave P 13 August 2003 02:10 AM

Edited coz I duplicated the post.

Dave

[Edited by Dave P - 8/13/2003 8:10:29 AM]

mike16v 13 August 2003 09:12 AM

there may be some details on your registry that you need to get rid of - run task manager and see if MSBLAST.exe is running? If so, end the tast, and yo uneed to remove some lines from registry - detils can be found on http://www.symantec.com/avcenter/index.html


I had this virus, and got it removed last night - live update of Norton, applied the patch, and removed the lines from registry. All seems hunky dorey now :)

Miles 13 August 2003 12:27 PM

Having deleted the file have I got rid of the virus?
Basically, yes. :)

Having deleted MSBLAST.exe... do I need this file and can I get another copy?
Nope this is not filename used by any MS application.

I downloaded all the MS updates, but it wouldn't let me download SP1 is this the one that kills the virus, Symantec imply that the virus will stop you accessing the patch???
SP1 doesn't stop the worm as such - if infected the worm will use your machine at a set date to launch a Denial of Service attack against http://www.windowsupdate.com.

My machine appears to have stopped switching off now... am I clear??
Yep, I would say so. As mike16v mentions above, there may be some crud left in the registry, but nothing serious.

Dave P 13 August 2003 12:55 PM

Cheers Guys, got some advice from a techy guy at work as well (cost me a tropical ice lollie though)

Will look through the registry this evening.

Once again scoobynet comes through!

Dave

Tsunami 13 August 2003 01:40 PM

If u have installed a firewall u woudlt have been infected....
Xp also has basic build in firewall which u can turn on - my xp proxy been running fine and not been infected unlike some of my mates pcs!

POC 13 August 2003 04:09 PM

more info/revovery here:

http://www.sophos.com/support/disinf.../blastera.html

Dave P 13 August 2003 06:07 PM

sadly I had ADSL problems and BT kindly asked me to turn off my firewall and leave my pc switched on for 48 hours!!

Monkeh 13 August 2003 06:22 PM

HeHe we patched all our servers the day the vunerability was detected.. thanks to the lovegate virus :D (that was a pain)

No problems in our office, but all our off site people dont like using live update or windows update :rolleyes: so nearly everyone of them has got the virus. (i told them to update at least twice a week !!! )

Ok so i have removed most of them, but now we are getting loads of errors being reported like "the application at 0x77ds2134 cannot read the memory at 0xds23221" ?? cant figure that one out ? it only seems to happen when any office 2000 program is loaded.

So i think it is corrupting office files as well. I will hopefully be able to disect one of the idiots laptops tomorrow so will finf out what has happened !!!


chiark 13 August 2003 08:49 PM

Feck me. I've just installed IPCop and got it all running nicely...

Here's 7 mins of log...
19:32:01 INPUT ppp0 TCP 81.135.75.208 3609 81.135.66.148 135
19:32:35 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:36 INPUT ppp0 TCP 81.135.69.141 4594 81.135.66.148 135
19:32:41 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:32:43 INPUT ppp0 TCP 81.135.9.199 1033 81.135.66.148 135
19:33:15 INPUT ppp0 TCP 81.135.76.170 2331 81.135.66.148 135
19:33:31 INPUT ppp0 TCP 81.135.10.108 4862 81.135.66.148 135
19:37:02 INPUT ppp0 TCP 81.135.78.240 4782 81.135.66.148 135
19:37:06 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135
19:37:09 INPUT ppp0 TCP 81.135.76.22 1824 81.135.66.148 135


Can you guess what attacks port 135? ;)

Bloody hell... Like frickin' wildfire!

Miles 13 August 2003 10:42 PM

I was round fixing a mates PC tonight, found msblast on it, cleaned it and whilst online for the 5 minutes downloading the patch it got infected again:rolleyes:

darlodge 13 August 2003 11:12 PM

would that explain why my Mcafee fire wall has been going nuts since Saturday?

Here is an extract from one of many Netwear logs

1 - - 195.149.1.192 Aylesbury Vale dazza
2 1 - 213.208.106.54 Aylesbury Vale
3 1 1 213.208.106.49 Aylesbury Vale lon1-8.nildram.net
4 2 1 195.149.20.105 Aylesbury Vale lon1-10.nildram.net
5 2 1 195.149.20.137 Aylesbury Vale lon1-11.nildram.net
6 1 2 213.161.78.49 Southwark 246.ge4-0.mpr1.lhr1.uk.above.net
7 3 2 208.184.231.174 Southwark so-4-1-0.cr1.lhr3.uk.above.net
8 3 2 208.184.231.146 Southwark so-0-0-0.cr2.lhr3.uk.above.net
9 4 2 64.125.31.182 New York so-7-0-0.cr2.lga1.us.above.net
10 3 3 208.184.233.65 Arlington so-1-0-0.cr2.iad1.us.mfnx.net
11 3 2 208.184.233.129 WASHINGTON D.C. so-1-0-0.cr2.dca2.us.above.net
12 4 2 64.125.30.166 San Jose so-6-3-0.mpr4.sjc2.us.above.net
13 3 3 208.185.175.162 Sunnyvale pos6-0.mpr2.pao1.us.mfnx.net
14 5 2 216.200.254.46 Sunnyvale cn-abovenet.pao1.above.net
15 6 4 202.97.51.17 BEIJING (PEKING) p-4-6-r3-i-shsh-1.cn.net
16 6 - 202.97.33.89 BEIJING (PEKING)
17 6 - 202.101.63.233 Unknown
18 6 - 202.101.63.149 Unknown
19 7 - 61.152.83.2 Shanghai
20 7 - 61.152.83.38 Shanghai
21 7 - 61.152.99.6 Shanghai
22 7 - 61.152.99.18 Shanghai
23 7 5 61.152.102.119 Shanghai branch-2-h119.sta.net.cn

Darren


All times are GMT +1. The time now is 09:21 PM.


© 2024 MH Sub I, LLC dba Internet Brands