-
August 13th, 2003, 09:42 PM
#61
Member
Blaster changing
Hi, yesterday I was able to repair several infected computers now I can't seem to get any fixed.
the computers give an error message and freeze
symantec repair stops at file "kelt b", then windows want to send an error message and shut down the repair program
tired of being called an ass
-
August 13th, 2003, 10:24 PM
#62
Blaster B & C have been identified..
The symantec Security response Site has the details.. It looks like the Symantec removal tool info state removal of A & B..
oh the link http://securityresponse.symantec.com/
With removal .. I have a couple of the tools.. If one don't work , I use the other....
Funny thing getting a lot of win 9x machines .. ppl spooked by the news.. Spybot fixes these..lol
Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 13th, 2003, 10:50 PM
#63
Banned
Here is another version of the DCOM shizzle that I could not find information for on any AV sites.
http://www.securityfocus.com/archive...9/2003-08-15/0
It looks like some sort of autorooter but not like a worm.
And it open port 666 not 4444
-
August 14th, 2003, 12:46 AM
#64
So, how much port 135 traffic is everyone seeing at their firewall?
At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!
Ammo
Credit travels up, blame travels down -- The Boss
-
August 14th, 2003, 02:07 AM
#65
Cerveza,
Yeah that is Kaht2 which is the autor00ter/scanner for the dcom exploit. Its basically useless now for the script kiddings, thankfully, due to most ISP intelligently blocking port 135.
Kaht1 was a autor00ter for Webdav exploit.
-
August 14th, 2003, 03:53 AM
#66
i go to school this morning and over the intercome i hear "please dont go on the internet on any of the balck computers (we just got about 100 of these new dell comps with win xp pro on them) there is a virus on them" well pretty much all of are computers are the "black" ones so yeah i though that was kinda funny.
aislinn, Aria, BTBAM, chevelle, codeseven, Cky, dredg, evergreen terrace, from autumn to ashes,hopesfall, hxc, luti-kriss, nirvana, norma jean, shai hulud, this hero dies, tool, underoath, zao,
-
August 14th, 2003, 05:02 AM
#67
Junior Member
This sorta has to do with this virus.....I wasn't sure what to do about the virus so I disable the RPC in services. Now I can't get into properties to reenable the RPC. Then whenever I try to install the patch to get rid of the worm it says I need the cryptography working, and I can't figure out what that is. So...if you have any advice, its greatly needed. Thank you.
Jaimie
-
August 14th, 2003, 04:57 PM
#68
You can enable RPC by using the sp_serveroption system stored procedure. To enable RPC from the ProductSQL server, you can use the following:
USE master
EXEC sp_serveroption 'ProductSQL', 'rpc', 'true'
To enable RPC to the ProductSQL server, you can use the following:
USE master
EXEC sp_serveroption 'ProductSQL', 'rpc out', 'true'
Go to the following site and download the removal tool for the worm.
http://www.sarc.com/avcenter/venc/da...ster.worm.html
After you remove it, reboot and then click on start/run and type in sfc /scannow.
This will repair all of the original files and you will be back in order.
I had to do it tonight myself, and it fixed everything.
http://www.computing.net/windowsxp/w...rum/73906.html
-
August 14th, 2003, 08:47 PM
#69
I'm not sure if anyone has run across this yet but even if they have, I think it is worth repeating:
* If you apply SP4 or any other SP to a box, you must re-install the RPC patch afterwards and then reboot even though the damn thing doesn't tell you to do so (the RPC patch that is).
What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again. Yes, we reported this to MS but hae heard nothing back yet.
Anyway, just an FYI for those who are in the trenches trying to remediate this garbage.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 14th, 2003, 09:38 PM
#70
Originally posted here by ammo
So, how much port 135 traffic is everyone seeing at their firewall?
At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!
Ammo
Most certainly an increase on my end here. I'd say that I'm averaging about 8 attempts to connect on port 135 every 3/4 minutes (all blocked of course).
That's a pretty good number of hits there, Ammo!
What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again.
I guess better late than never, right? Seriously though, just another example of the need to patch...
That's good info to know, thehorse13 - I appreciate it....
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|