sTeaLth 12 / aug / 12:34

Levivad viirused
Viimastel päevadel on mitmete PLANCu liikmete WinXP-le surma toonud viirus, mis toob ekraanile "tavalise" errori teatega, et masin teeb shut-downi 53 sekundi pärast. Väidetavalt on tegemist järjekordse XP turvaauguga.

Antud vea saab parandada selle patchi installeerimisega http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


<ul type="square">
<li>Ei teeks paha, kui inimesed kasutaksid Norton Antivirust või mõnd muud samalaadset mälus jooksvat proge, et vältida igasuguseid viiruseid, troojasid jms.</li>
<li>Kindlasti on soovitatav installeerida ka kõik turva-patchid mida Windows-updateriga leida annab</li></ul>
 
 
Dol Guldur 12 / aug / 14:17  
http://www.minut.ee/article.pl?sid=03/08/12/0854257&mode=nested
 
sTeaLth 12 / aug / 14:22  
ee.. see ei ole see
 
Dol Guldur 12 / aug / 14:36  
eee... see on küll see või vähemalt üks nendest
 
MailmanMel 12 / aug / 14:40  
niih
installisin patchi ära
lets see what happens
 
Dol Guldur 12 / aug / 14:51  
w32.blaster.worm
Muudetud 1 korda, viimati 15 / aug / 10:41 Dol Guldur poolt.
 
moochie 12 / aug / 18:25  
perse, see junn genereerib ise random ip-sid ja saadab ennast miski pordi kaudu koguaeg edasi? :/ Toppige oma turvaauk kinni siis mehed.
 
m1sterX 12 / aug / 18:34  
Minuni pole see asi veel jõudnud... samas mul NAV kah, kuid kes teab kas ta töötab ylce
 
Dol Guldur 13 / aug / 01:37  
Pange XPs vähemalt Firewall'gi peale:
Control Panel --> Network Connections --> minu_võrguühendus --> Properties --> Advanced --> Internet Connection Firewall -> [check] Protect my computer...
Kes paranoiline on ja näha tahab, kuidas asi toimib, siis seal samas all on ka Settings nupp, kust saab: Security Logging --> Log dropped packets või Log successful connections peale panna, et logifailist vaadata ühendusi.
Mul juba jõuti poole tunni sees dial-upile(!) 17 requesti port tcp/135 peale teha :p
 
MailmanMel 13 / aug / 01:50  
[url= http://www.gudi.dk/60secrebootbug.txt] [url]http://www.gudi.dk/60secrebootbug.txt
 
Lyle 13 / aug / 10:20  
kas ma eksin , kui ma ütlen ,et kui kasutaja on mingi exe käivitanud vms .. siis firewallist pole palju abi
firewall peaks defauldis peal olema eriti adsl kasutajatel win xp peal
mircosoft räägib ,et tegemist on häkkerite ära kasutatud os bug -iga

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.(To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine.)


Ports: TCP 135, TCP 4444, UDP 69
Target of infection: Machines with vulnerable DCOM RPC Services running.


Obtaining and running the tool

NOTE: You need administrative rights to run this tool on Windows 2000, or Windows XP.
Download the FixBlast.exe file from:

http://securityresponse.symantec.com/avcenter/FixBlast.exe

Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
To check the authenticity of the digital signature, refer to the section, "Digital signature."
Close all the running programs before running the tool.
If you are running Windows XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.

CAUTION: If you are running Windows XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.


Double-click the FixBlast.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.

NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."


Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows XP, then re-enable System Restore.
Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:
Total number of the scanned files
Number of deleted files
Number of terminated viral processes
Number of fixed registry entries
 
Lord Nikon 15 / aug / 00:55  
Niihh...

Viirusetõrje progedesse kautasin täielikult usu: ise avastasin kaks nakatunud faili a ükski viirusetõrje ei arvanud asjast mitte midagi (nav, Kasperski, avg, pc-cillin, f-prot...)

Üks võimalus viirusest hoidumiseks on tõesti kasutada tulemüüri. Kui viirus välja tuli, siis sain umbes minutis korra pordile 135 koputuse. Viimasel ajal on hakatud hoopis teist porti koputama: 1346. 5 minuti jooksul 9 korda..hmm.. imelik.. Väidetavalt on see port kasutusel sillise aja poolt nagu "Alta Analytics License Manager" whatever that is..

Mailman: sinu õpetus on ainult shutdowni vältimiseks, mitte probleemi kõrvaldamiseks.

P.S. dol, su teisel lingil on viga sees ;)
 
Sp33d 15 / aug / 11:29  
kui net on jagatud ruuteriga, siis pole pmst enam vaja ju aktiveerida seda winXP tulemyyri?
 
Dol Guldur 15 / aug / 20:39  
jah, siis lähevad kõik viirused ruuterisse
 
Sp33d 16 / aug / 01:44  
omg
 
Sp33d 16 / aug / 02:05  
allmighty mother god in the heavens, praegu pärnus 28kbps modemiga korraks netti foorumeid ja maili lugema tulles ilmus ekraanile tore teade, et PC teeb shutdowni 53 sekundi pärast :S väga haige asi. kas selle patchi peale panemine teeb siis kõik korda? ma ei viici enam uuesti kõike linke jms läbi lugeda
 
Sp33d 16 / aug / 02:07  
panin nyyd Xp firewalli peale, täiega pommitatakse 443 porti. internet on muutumas tõsiseks ohuks :D
 
sTeaLth 16 / aug / 14:52  
kust seda "pommitamist" näha õnnestub? eraldi progega?
 
Dol Guldur 16 / aug / 19:16  
stealth: vaata minu postitust ülevalt poolt

Kas ma olen asjast õigesti aru saanud, kui väidan, et arvuti restartimised tulenevad sellest, et viirus saadab RPC teenuse pordi peale vigaseid päringuid (ja RPC on default confitud nii, et service failure puhul masina reboodib)?
 
Lord Nikon 18 / aug / 09:27  
Kõige imelikum on ju see, et auk avastati juuli keskel, sinna maani oli ju auk olemas ja sellest ei teatud midagi.. (u. 3 aastat vähemalt)

It makes you wonder..
 
Sp33d 18 / aug / 13:17  
dol: ma sain ka sellest asjast umbes nii aru..

laupäeval olevat olnud "see" päev, kus kõik nakatanud arvutid hakkavad Microsofti servut pommitama päringutega, et see umbe läheks.. kas siis juhtus ka midagi sellega?