[Full-Disclosure] RE: [Full-Disclosure]Ooops-->was-->what to do

From: Evans, Arian (Arian.Evansat_private)
Date: Mon Aug 11 2003 - 23:21:35 PDT

  • Next message: Andrew Thomas: "[Full-Disclosure] Windows Dcom Worm planned DDoS" 

    






RE: [Full-Disclosure] what to do



    Per below, you'll probably want to enable port 
53 UDP or you won't be able to resolve windowsupdate.microsoft.com. You might 
have to enable bootp too, depending on what kind of network you are 
on...
    

     
    

    If you have further issue, email me @my cc:'d work 
address, and I'll answer as I can...
    

    
  
    -----Original Message----- 
    From: Arian J. Evans 
  [mailto:arian.evansat_private] 
    Sent: Tue 8/12/2003 1:04 AM 
  
    To: 'akbara'; 'Gabe Arnold' 
    Cc: 
  full-disclosureat_private; bugtraqat_private; Evans, Arian 
  
    Subject: RE: [Full-Disclosure] what to do

    
  
    et al,

    # has she tried booting into safe mode ?
    # 
  then removing the msblast or what not program ?

    If everyone hasn't seen 
  it by now, the problem is endless
    rebooting; we've seen it with a number of 
  clients...good
    luck updating before the system goes down 
  again...

    It's part of the offset the exploit uses and which 
  OSes/events
    it overwrites the proper part of the stack to exploit, 
  and
    which events it just crashes the OS...(the vast majority
    of crashes 
  we are seeing are XP, though some 2k server...)

    Bottom line: the 
  endless shutdown cycle is part of the story
    of the worm, given the OS and 
  how the worm hits it.

    But there is a solution:

    # cannot use 
  Windows update because when the RPC is shutdown,
    # SYSTEM automatically 
  initiates a shutdown of the computer as
    # you are all aware of. What is the 
  best solution to keep data files
    # intact while removing this 
  worm?

    The endless shutdowns are a result of getting banged on 
  repeatedly
    by this worm. Options:

    NT 4.0: hmmm...probably disable 
  RPC service...

    Windows 2000: |Network|Local Area Connection (or 
  whatever you
    have named this)|Properties|Advanced|Options|>TCP/IP 
  Filtering>
    |Properties|x-enable TCP/IP filtering|

    >Permit only 
  on UDP and ICMP. Do not define.
    >Permit only on TCP and define 80 and 
  443 (http and https).

    Continue on to windowsupdate.microsoft.com and 
  update w/out
    further issue. Later, if you feel comfortable (or have the 
  need),
    relax your filter settings.

    Windows XP: turn on the included 
  firewall, found under the similar
    options to above for 2k (sorry--I don't 
  have an XP machine handy
    or I'd list the exact steps...)

    Good luck, 
  Cheers,

    Arian J. Evans

    ps// if bugtraq cross-post is 
  inappropriate, apology to admins
    for having to remove. There's been a lack 
  of OS-native controls
    mitigation discussed on this 
issue...
    



    The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
    Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
    other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
    in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
    
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

    

    



    

    


This archive was generated by hypermail 2b30 
: Tue Aug 12 2003 - 00:59:55 PDT