MS03-026 (823980) Scanning Tool Available

The following tool has just been released:

Microsoft has released a KB 823980 Scanning Tool (KB823980scan.exe) that can
be used to scan networks to identify host computers that do not have the
823980 security patch (MS03-026) installed. For additional information about
the 823980 security patch (MS03-026), click the following article number to
view the article in the Microsoft Knowledge
Base:
823980 MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/default.aspx?scid=kb;en-us;823980


For additional information about a new worm virus that tries to exploit
the DCOM RPC vulnerability that is fixed by the 823980 security patch
(MS03-026), click the following article number to view the article in
the Microsoft Knowledge Base:
826955 Virus Alert About the W32.Blaster.Worm Worm
http://support.microsoft.com/default.aspx?scid=KB;EN-US;826955

Download location:
http://microsoft.com/downloads/details.aspx?FamilyId=C8F04C6C-B71B-4992-91F1-AAA785E709DA&displaylang=en

The MS03-026 bulletin is being updated now as well.

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

LuckyStrike
Thu Aug 14 17:25:26 CDT 2003

Thanks for the two links/updates on the "hub-bub" of the last few days.

Regards,
LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
------------
"Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
news:uU6NsGrYDHA.212@TK2MSFTNGP12.phx.gbl...
> Link to the KB article for the tool:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;826369
>
> --
> Regards,
>
> Jerry Bryant - MCSE, MCDBA
> Microsoft IT Communities
>
> Get Secure! www.microsoft.com/security
>
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> news:%23du8h0qYDHA.2572@TK2MSFTNGP09.phx.gbl...
> > The following tool has just been released:
> >
> > Microsoft has released a KB 823980 Scanning Tool (KB823980scan.exe) that
> can
> > be used to scan networks to identify host computers that do not have the
> > 823980 security patch (MS03-026) installed. For additional information
> about
> > the 823980 security patch (MS03-026), click the following article number
> to
> > view the article in the Microsoft Knowledge
> > Base:
> > 823980 MS03-026: Buffer Overrun in RPC Interface May Allow Code
Execution
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;823980
> >
> >
> > For additional information about a new worm virus that tries to exploit
> > the DCOM RPC vulnerability that is fixed by the 823980 security patch
> > (MS03-026), click the following article number to view the article in
> > the Microsoft Knowledge Base:
> > 826955 Virus Alert About the W32.Blaster.Worm Worm
> > http://support.microsoft.com/default.aspx?scid=KB;EN-US;826955
> >
> > Download location:
> >
>
http://microsoft.com/downloads/details.aspx?FamilyId=C8F04C6C-B71B-4992-91F1-AAA785E709DA&displaylang=en
> >
> > The MS03-026 bulletin is being updated now as well.
> >
> > --
> > Regards,
> >
> > Jerry Bryant - MCSE, MCDBA
> > Microsoft IT Communities
> >
> > Get Secure! www.microsoft.com/security
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
>
>

S
Fri Aug 15 04:18:49 CDT 2003

I second that but also would like to mention command line scanner for
UNIX/Linux/Cygnus (posted to Bugtraq - see
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-08/0038.html), a
command-line scanner from ISS
(http://www.iss.net/support/product_utilities/ms03-026rpc.php), and
essus - we are using the three successfully for a while now :)

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-

"Hector Santos" <nospam@nospam.com> wrote in message
news:uCCf5ZtYDHA.2424@TK2MSFTNGP12.phx.gbl...
> BRAVO! BRAVO! BRAVO!

freestyle_london
Fri Aug 15 13:00:13 CDT 2003

ANSWER TO KB823980Scan patch rollout !!

Tools required

The best tool is a GUI version from www.eeye.com !!! GET IT !!

psexec.exe http://www.sysinternals.com
srvinfo.exe http://www.petri.co.il/download_free_reskit_tools.htm
scansms.exe http://www.iss.net/support/product_utilities/ms03-026rpc.php
OR the microsoft DOS command-line scanner
http://support.microsoft.com/support/misc/kblookup.asp?ID=826369

All this needs is a list of IP addresses to go through and PATCH. I
have been patching my systems all week using SCANMS.EXE and sending
the output to a file, which I then load into excel and save.

The Microsoft one does this for me ! so I just need to run it and I
have a list of unpatched IP, I then simply use the attached 2 batch
files.

I have been developing all week, and I'm sure this is not the best
script in the world so modify as required.

*** PLEASE NOTE THOSE ON GOOGLE GROUPS MAY NEED TO AMMEND AS LINES GET
CUT ***

The rollout.cmd need to have a domain admin acount AND password
entered and save

-------rollout.cmd-------------
if {%1}=={} (echo Usage: rollout filename.txt)
for /f "eol=; Tokens=*" %%i in (%1) do psexec \\%%i -u
domainanme\username -p password -c \\server\netlogon\update.cmd
-----------------------------------------

-------------update.cmd----------------------------
if exist "c:\documents and settings" goto 2kmachine

copy \\server\share\pskill.exe c:\
c:\pskill nt40.exe
copy \\server\share\fix\updated.txt c:\
copy \\server\share\fix\nt40.exe c:\
c:\nt40.exe -m -q
goto EOF

:2kmachine
copy \\server\share\srvinfo.exe c:\winnt /y
for /F %%q in ('SrvInfo -ns^| find /c "Build: 2195, ServicePack 2"')
do if %%q==0 goto notsp
copy \\server\share\srvinfo.exe c:\winnt /y
copy \\server\share\fix\updated.txt c:\
copy \\server\share\fix\w2k.exe c:\
c:\w2k.exe -q -u

:notsp
srvinfo -ns >\\server\dir\%computername%.txt

:EOF