Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Nu pot accesa monitorulsv.ro de l...

Cum sa elimini urmele de acnee?

Wc Geberit

Routere detinute in trecut si in ...
 Teii din fața casei

E-Mail in serie prin Excel si Out...

Modul alimentare rulou/jaluzea ex...

Recuperare fișiere dupa form...
 Aplicatii stress test RAM

Asigurare auto hibrid

Asus B550M - PC-ul nu porneste di...

Tzanca Uraganu - Inconjurat de Fe...
 explicatie montaj breadboard

3 Doors Down - Kryptonite

Semnalizati cand virati pe un dru...

Succesiune - mostenire apartament...
 

(Grav) Patch de la MS

- - - - -
  • Please log in to reply
23 replies to this topic

#1
Courage

Courage

    Founder

  • Grup: Senior Members
  • Posts: 21,657
  • Înscris: 26.11.2001
Faptul ca MS scoate patch-uri pe band anu e nimic nou, ci chiar e cotidian, dar agitatia cu care il promoveaza pe asta, ma face sa cred ca e o buba mare si le e teama :/

Cititi aici:

http://news.softnews...gust/4093.shtml

Patch-ul pentru diversele SO-uri afectate poate fi gasit AICI

Pentru cei cu WinXP iata link direct:

http://download.micr...980-x86-ENU.exe

Pentru cei cu Win2k:

http://download.micr...980-x86-ENU.exe

#2
Ares

Ares

    Active Member

  • Grup: Members
  • Posts: 1,227
  • Înscris: 13.01.2003
Am si eu o intrebare... M-am dus frumushel la Windows Updates, am selectat ce vreau sa-mi instaleze, acum downloadez...
Intrebarea e... Unde se salveaza patch-urile astea downloadate? Trebuie sa le salvez eu separat sau le pune Windows-ul pe undeva? Multzam...

#3
PreTXT

PreTXT

    Moderator

  • Grup: Senior Members
  • Posts: 2,053
  • Înscris: 09.01.2003
Problema este mai mult decat serioasa....dupa ce am vazut ca a aparut shi exploit code pentru vulnerabilitate (e.g. http://www.xfocus.or...s/200307/2.html)  mi-am pierdut 2 noptzi patchuind servere :(

Tocmai ce am terminat scripting-ul pentru deployment-ul pe calculatoarele userilor /sHit ... scuze daca sunt incoerent dar am vreo 36 de ore de munca la bords :sleep:

Ideea este ca la ora actuala, conform mai multor companii specializate in securitate, se observa o activitate crescuta din punct de vedere al scanarilor pe Internet dupa mashini vulnerabile.

DHS (U.S. Department of Homeland Security) recomanda aplicarea de urgentza a patchului. Pana atunci, ca shi protectzie aditzionala, potzi sa configurezi firewall-ul, daca il ai :) , sa blocheze porturile 135.139 shi 445, folosite de RPC calls.

#4
Ares

Ares

    Active Member

  • Grup: Members
  • Posts: 1,227
  • Înscris: 13.01.2003
@PreTXT - Am sapat prin Zone Alarm Pro-ul meu si vad ca sunt blocate porturile astea... dar apropo de intrari neautorizate... Asta stie ce raporteaza? 972 instrusions / 247 high rated.... In fine... :)

#5
PreTXT

PreTXT

    Moderator

  • Grup: Senior Members
  • Posts: 2,053
  • Înscris: 09.01.2003
nu m-am jucat suficient cu ZoneAlarm...dar 972 intrusions ...cred ca e vorba de tentative de acces, nu? :)

oricum,,daca te preocupa problema, verifica zilnic update-ul de antivirus...e destul de probabil sa apara un worm, un mass-mailer care sa exploateze vulnerabilitatea....

#6
steelk

steelk

    Active Member

  • Grup: Members
  • Posts: 1,154
  • Înscris: 08.06.2002

Quote

Intrebarea e... Unde se salveaza patch-urile astea downloadate? Trebuie sa le salvez eu separat sau le pune Windows-ul pe undeva? Multzam...

Winu le salveaza pe masura ce le donwloadeaza in %user_path%local settingstemporary internet files. Imediat dupa ce a terminat de down incepe sa le instaleze si sa le stearga pe masura ce le instaleaza. Solutia : cum apare cate ceva nou in tmp internet files, il copiezi in alta parte pentru ca la final ele dispar de acolo.

#7
ECodrutz

ECodrutz

    Member

  • Grup: Members
  • Posts: 333
  • Înscris: 26.04.2003
nope :))
nu le pune acolo
se creaza pe discul unde ai windows-ul un director : WUTEMP (windows update temporary) si pana se instaleaza acolo le gasesti

#8
puiut

puiut

    Member

  • Grup: Members
  • Posts: 288
  • Înscris: 11.04.2003
Culmea  este ca exact acum 2 min s-a resetat calculatorul , insa inainte m-a anuntat (frumos din partea lui) sa salvez aplicatiile .scria ca NT autority il reseteaza din cauza ca serviciul RPC a terminat ceva de genul brusc . Nu am retinut exact.
Asta sa fie problema cu patch ?

#9
FlakShell

FlakShell

    Member

  • Grup: Members
  • Posts: 306
  • Înscris: 16.10.2002
Da, aia e problema, cineva a incercat exploitul pe tine dar nestiind ce SO ai, a testat cu exploitul de Win2000, in loc de XP, si la faza asta se restarteaza XP-ul.

#10
arty

arty

    Senior Member

  • Grup: Banned
  • Posts: 8,563
  • Înscris: 09.12.2001
da, shie eu am primit un restart din partea a NT Authority. Asta azi dimineatza. Ieri am citit de chestia asta shi am facut updateurile care nu aduceau nimic critical... e drept ca n'am rulat chestia aia data de courage pt XP. care e treaba cu chestia asta?

#11
Monitoxus

Monitoxus

    Back!

  • Grup: Senior Members
  • Posts: 7,184
  • Înscris: 26.11.2001
Yep.. same here. M-am trezit ca imi moare PC-ul si asta NUMAI pt ca atrebuit sa dezactivez firewall-ul pt 10 min ca sa intre nevasta pe un kakat de chat sa vb cu o ruda :@

La 10 min dupa ce am dezactivat firewall-ul mi-a aparut faza asta cu eroare RPC si s-a inchis calculatorul singur...

Ideea care e.. poate cineva sa intre la mine fara firewall profitand de acest "bug" ? Ca nu am avut rabdare sa citesc totul :D

#12
Courage

Courage

    Founder

  • Grup: Senior Members
  • Posts: 21,657
  • Înscris: 26.11.2001
Pune acest patch si nu o sa mai ai prb :)

#13
pstdgt

pstdgt

    Monseurizat

  • Grup: Administrators
  • Posts: 5,849
  • Înscris: 06.02.2002
si mie mi s-a intamplat faza cu restart.. cu 5 minute inainte sa pun patch-ul :D

#14
Courage

Courage

    Founder

  • Grup: Senior Members
  • Posts: 21,657
  • Înscris: 26.11.2001
Eu sunt scanat in draci de pe 193.109.122.5 (proxy)

#15
raiiar

raiiar

    Senior Member

  • Grup: Senior Members
  • Posts: 2,568
  • Înscris: 30.11.2002
merci pt link.
dar vad ca problema e groasa, nu gluma....
stiam de ea, dar nu stiam ca a aparut deja un exploit.

#16
Mr_Woppit

Mr_Woppit

    the last of them..

  • Grup: Super Moderators
  • Posts: 17,834
  • Înscris: 26.11.2001

Quote

Paper on how to remotely exploit for win32 NT boxes using a buffer overflow
on port 135 through the Windows RPC Interface resulting in execution of any  
commands on vulnerable Windows systems with SYSTEM privileges.

exista chiar 2 versiuni, si este o joaca de copii

citez :

Quote

c:> dcom32.exe

if all goes well you should get a shell on port 4444 to connect to

apoi cu una, alta te conectezi la portul care te asteapta

disponibil in versiunea win2k sp1,2,3,4 si XP cu si fara SP

#17
PreTXT

PreTXT

    Moderator

  • Grup: Senior Members
  • Posts: 2,053
  • Înscris: 09.01.2003
dupa cum era de asteptat ni se pregateshte shi un worm care sa profite de aceasta vulnerabilitate http://www.kaspersky....html?id=984233

asha ca fitzi pregatitzi :)

#18
Guest_AcidMan_*

Guest_AcidMan_*
  • Grup: Guests
  • Înscris: --
Anunt Symantec
Aici este adresa anuntului.
Based on the number of submissions received from customers and based on information from the Symantec's Deepsight Threat Management System, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat.

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm will attempt to download and run the Msblast.exe file.

Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:


TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on windowsupdate.com. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.

NOTE: This threat will be detected by virus definitions having:
Defs Version: 50811s
Sequence Number: 24254
Extended Version: 8/11/2003, rev. 19

Symantec Security Response has developed a removal tool to clean infections of W32.Blaster.Worm.

Also Known As:  W32/Lovsan.worm [McAfee]
  
Type:  Worm
Infection Length:  6,176 bytes
  
  
  
Systems Affected:  Windows 2000, Windows XP
Systems Not Affected:  Linux, Macintosh, OS/2, UNIX
CVE References:  CAN-2003-0352
  
  



Virus Definitions (Intelligent Updater) *
August 11, 2003


Virus Definitions (LiveUpdate™) **
August 11, 2003


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.







Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Easy
Threat Metrics

        
Wild:
High
Damage:
Medium
Distribution:
High



Damage

Payload:
Causes system instability: May cause machines to crash.
Compromises security settings: Opens a hidden remote cmd.exe shell.
Distribution

Ports: TCP 135, TCP 4444, UDP 69
Target of infection: Machines with vulnerable DCOM RPC Services running.


When W32.Blaster.Worm is executed, it does the following:


Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.


Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs when you start Windows.


Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D

sets D equal to 0.

if C > 20, will subtract a random value less than 20.

Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.

NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.


Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D

set D equal to 0.

sets A, B, and C to random values between 0 and 255.


Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data.


Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.


Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.


If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Symantec ManHunt
Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "Portscan." Although ManHunt can detect activity associated with this exploit with the Protocol Anomaly Detection technology, you can use the "Microsoft DCOM RPC Buffer Overflow" custom signature, released in Security Update, to precisely identify the exploit being sent.






Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.



Removal using the Backdoor.Winshell.50 Removal Tool
Symantec Security Response has developed a removal tool to clean infections of W32.Blaster.Worm. This is the easiest way to remove this threat and should be tried first.

Manual Removal
As an alternative to using the removal tool, you can manually remove this threat.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Important Note: W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.


Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the registry.

For details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)


Navigate to the key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun


In the right pane, delete the value:

"windows auto update"="msblast.exe"

Anunturi

Bun venit pe Forumul Softpedia!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate