lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Aug 2003 01:04:46 -0500
From: "Arian J. Evans" <arian.evans@...foot.com>
To: "'akbara'" <tzu@...pstudios.com>, "'Gabe Arnold'" <f0x@...irrelsoup.net>
Cc: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
   <arian.evans@...hnetsecurity.com>
Subject: RE: what to do


et al,

# has she tried booting into safe mode ?
# then removing the msblast or what not program ?

If everyone hasn't seen it by now, the problem is endless
rebooting; we've seen it with a number of clients...good
luck updating before the system goes down again...

It's part of the offset the exploit uses and which OSes/events
it overwrites the proper part of the stack to exploit, and
which events it just crashes the OS...(the vast majority
of crashes we are seeing are XP, though some 2k server...)

Bottom line: the endless shutdown cycle is part of the story
of the worm, given the OS and how the worm hits it.

But there is a solution:

# cannot use Windows update because when the RPC is shutdown,
# SYSTEM automatically initiates a shutdown of the computer as
# you are all aware of. What is the best solution to keep data files
# intact while removing this worm?

The endless shutdowns are a result of getting banged on repeatedly
by this worm. Options:

NT 4.0: hmmm...probably disable RPC service...

Windows 2000: |Network|Local Area Connection (or whatever you
have named this)|Properties|Advanced|Options|>TCP/IP Filtering>
|Properties|x-enable TCP/IP filtering|

>Permit only on UDP and ICMP. Do not define.
>Permit only on TCP and define 80 and 443 (http and https).

Continue on to windowsupdate.microsoft.com and update w/out
further issue. Later, if you feel comfortable (or have the need),
relax your filter settings.

Windows XP: turn on the included firewall, found under the similar
options to above for 2k (sorry--I don't have an XP machine handy
or I'd list the exact steps...)

Good luck, Cheers,

Arian J. Evans

ps// if bugtraq cross-post is inappropriate, apology to admins
for having to remove. There's been a lack of OS-native controls
mitigation discussed on this issue...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ