RE: MSBLASTER Infecting despite 03-026 patch?

From: James C. Slora, Jr. (Jim.Sloraat_private)
Date: Thu Aug 14 2003 - 17:26:15 PDT

  • Next message: Jonathan Rickman: "Re: MSBlast and other known exploits.." 

    Gabrielle Dowling wrote
> There may be more to it.  We've had at least two  incidents where the
> patch manifest was confirmed but the boxes got infected.  And, I don't
> think the infection  came through an email seed, as we block 
> executables
> at the SMTP gateway.  

I have one confirmed vulnerable Win2K Server box where all the files
match the manifest perfectly. Multiple boots, uninstall and reinstall
the patch, upgrade to SP4 then add the patch - all with the same
results. A fully patched, fully vulnerable system that needs to come
offline. 

Bunches of machines failed patching on the first try even though they
reported success. NT4 seemed especially prone to this. Win2K fared
better but not perfectly. 

Only this one machine matches the manifest yet remains vulnerable.

It would be infected many times over already if it weren't in a nice
cozy small firewalled LAN environment lucky enough not to have been
exposed by accident.
    --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 21:04:57 PDT