[AccessD] martin's problem - SOLUTON

Stuart Sanders stuart at pacific.net.hk
Wed Aug 13 10:20:29 CDT 2003 

Hehe ditto ... None of my clients had a problem :)  Note that I don't always install patches as quickly as that one, but the hole
was wide enough to sale the Titanic through and deserved special attention.

On a side note, here's a new advisory from MS:
http://www.microsoft.com/security/incident/blast.asp

Note they recommend home users to install 3rd party software firewalls eg ZoneAlarm, Tiny, Kerio, etc.  This should also apply to
SOHO or small businesses.

Stuart


> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of
> William Hindman
> Sent: Wednesday, 13 August, 2003 10:44 PM
> To: Access Developers discussion and problem solving
> Subject: Re: [AccessD] martin's problem - SOLUTON
>
>
> ...you have to have admin rights to install ...I never give
> that to any
> client unless they have a dba ...for those clients where I control the
> network, I do configure them to dl the updates but not
> install ...way too
> many "updates" have turned out to have serious problems so
> unless its a
> serious security hole, I usually wait a bit until the dust has settled
> before actually installing the updates ...I never automatically dl and
> install anything ...lots of people do and as far as I'm
> concerned, they make
> great guinea pigs :))))))
>
> ...no client where I control the network had any problem
> yesterday because
> the security patches were already installed ...but one who
> was using another
> network company called me when they couldn't get them to
> respond ...and
> they've now switched to me at a stiff premium ...so I say
> (tongue in cheek)
> god bless the hackers, they're great job security in these
> tight times :)
>
> William Hindman
> So, then, to every man his chance -- to every man, regardless
> of his birth,
> his shining golden opportunity -- to every man his right to
> live, to work,
> to be himself, to become whatever his manhood and his vision
> can combine to
> make him -- this, seeker, is the promise of America.
> -- Thomas Wolfe
>
>
>
> ----- Original Message -----
> From: "John Colby" <jcolby at colbyconsulting.com>
> To: "Access Developers discussion and problem solving"
> <accessd at databaseadvisors.com>
> Sent: Wednesday, August 13, 2003 8:51 AM
> Subject: RE: [AccessD] martin's problem - SOLUTON
>
>
> > Windows has a little client program that sits in the
> toolbar, loaded when
> > windows loads.  It checks for updates automatically and
> offers a choice of
> > "install automatically", "Ask before install", and "jump
> off a bridge".
> It
> > works very well.  I have all my systems set up to download
> and then ask
> > before install.  Not sure why I do that as I always just
> install them
> > anyway.
> >
> > At any rate, my computers are always up to date.
> >
> > John W. Colby
> > www.colbyconsulting.com
> >
> > -----Original Message-----
> > From: accessd-bounces at databaseadvisors.com
> > [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of William
> > Hindman
> > Sent: Wednesday, August 13, 2003 12:06 AM
> > To: Access Developers discussion and problem solving
> > Subject: Re: [AccessD] martin's problem - SOLUTON
> >
> >
> > ...some follow-up comments ...the MS Win Update site was
> heavily loaded
> all
> > day long ...dls were much slower than normal at every
> client site ...and
> as
> > for what you were seeing, the worm exploits a buffer
> overrun to get into
> > your system, then dls the msblast.exe from a dynamically
> changing list of
> > IPs and ports ...so even if you wipe msblast, it just
> reloads the next
> time
> > you connect ...you have to have the ms patch installed to
> prevent it from
> > using the buffer overrun to reload itself again and again
> ...then the
> virus
> > cleaning will work ...only positive was that it was an
> excellent client
> > object lesson in keeping Win updates current ...safest
> thing is to dl them
> > automatically every night and then apply selectively
> ...that way you at
> > least have them dl'd before everyone starts hitting on the
> ms site ...I'm
> > really pretty surprised that it worked as well as it did.
> >
> > William Hindman
> > So, then, to every man his chance -- to every man, regardless of his
> birth,
> > his shining golden opportunity -- to every man his right to
> live, to work,
> > to be himself, to become whatever his manhood and his
> vision can combine
> to
> > make him -- this, seeker, is the promise of America.
> > -- Thomas Wolfe
> >
> >
> >
> > ----- Original Message -----
> > From: "Steven W. Erbach" <serbach at new.rr.com>
> > To: "Access Developers discussion and problem solving"
> > <accessd at databaseadvisors.com>
> > Sent: Tuesday, August 12, 2003 5:57 PM
> > Subject: Re: [AccessD] martin's problem - SOLUTON
> >
> >
> > > Dear Group,
> > >
> > > >> This link point's to Symnatec's fix for the worm. Look
> for "Removal
> > using
> > > the W32.Blaster.Worm Removal Tool" to locate the link to
> the fix file.
> <<
> > >
> > > For what it's worth, I went to a client's site to
> eradicate the Blaster
> > > Worm. SHEESH! It's a Win XP Home system that has not been
> updated to the
> > > most recent Windows update since they bought it about two
> years ago. It
> > has
> > > Norton AntiVirus 2003 on it, but, of course, the last
> time they did a
> > virus
> > > update was last week. They have no firewall.
> > >
> > > I was able to download the Symantec "fix" while in normal
> Windows, but I
> > had
> > > to run the program in Safe Mode since the RPC error /
> Shutdown message
> > > appeared every time I tried to run the fix. So far so good.
> > >
> > > I thought that I'd try to go to the Windows Update site.
> It showed that
> > this
> > > PC, of course, hadn't ever been updated, so there were 34 critical
> updates
> > > to make. Started the first one...RPC error / Shutdown.
> > >
> > > Okay, lets update Norton AntiVirus. Did that, but I still
> got the RPC
> > error.
> > > Shutdown.
> > >
> > > Started up in Safe Mode and ran a full Norton AV System
> Scan. 114,000
> > files
> > > later there were no viruses present.
> > >
> > > Restarted in normal Windows and went to the Windows
> Update site. Norton
> > > displayed its W32.Blaster.Worm detection screen and said
> that it had
> been
> > > deleted...but a minute or two later the RPC error
> appeared again anyway
> > and
> > > I had to shut the system down and restart.
> > >
> > > I tried this Windows Update thingy a few more times.
> There were a couple
> > of
> > > times after the Norton AV message appeared indicating
> that, once again,
> it
> > > had deleted Blaster.Worm, a Windows message appeared
> indicating that the
> > > Generic Host Process for Win32 Services had encountered a
> problem and
> > needed
> > > to close. Right after that the RPC / Shutdown error
> appeared. Restart.
> > >
> > > I finally got wise that Windows REALLY needed to have the
> MS KB823980
> > patch
> > > applied. I hadn't tried that right away because I thought
> that Windows
> had
> > > to be updated to the most recent level first. I tried to
> run the file
> from
> > > the Microsoft site rather than saving to disk and got
> both the Generic
> > Host
> > > Process error and the RPC error. Shutdown and restart.
> > >
> > > I got even MORE wise and restarted in Safe Mode With
> Network capability.
> I
> > > downloaded the patch all right...but instead of applying
> it I thought
> I'd
> > > try the Windows update again. RPC. Shutdown.
> > >
> > > Restarted in Safe Mode with Network. Started the patch.
> RPC / Shutdown.
> > >
> > > Restared in Safe Mode WITHOUT the network. Ran the patch.
> COMPLETED!
> > >
> > > Restarted in Safe Mode WITH Networking to try Windows
> Update again.
> > Finally
> > > the PC began downloading the huge number of pieces that
> it needed to
> > upgrade
> > > Win XP to the current revision. I left my client's office
> about 4 hours
> > > after I'd arrived, giving them instructions to call when
> the downloads
> > were
> > > completed. I should be able to walk them through the
> Windows Update
> > process
> > > tonight.
> > >
> > > They have DSL but it was god-awful slow. 95 MB download
> estimated at
> about
> > > 200 minutes...more than 10 times slower than my cable
> service would
> take.
> > >
> > > So, the upshot is, if the PC hasn't been updated to the
> most recent
> > version
> > > of XP lately (or at all) make sure that you download and
> run everything
> in
> > > Safe Mode...and make sure to run the MS patch in Safe Mode WITHOUT
> > > networking. I must have seen that RPC shutdown thing two
> dozen times or
> > > more, and the General Host Process error 8 or 9 times.
> > >
> > > It's now looking good, but we're not finished upgrading
> Windows XP yet.
> > I'm
> > > crossing my fingers that the guy on the other end of the phone is
> somewhat
> > > proficient. Crossing my fingers.
> > >
> > > Steve Erbach
> > > Scientific Marketing
> > > Neenah, WI
> > >
> > > "Eventually, socialists run out of other people's money."
> > > -- Lady Margaret Thatcher
> > >
> > >
> > > _______________________________________________
> > > AccessD mailing list
> > > AccessD at databaseadvisors.com
> > > http://databaseadvisors.com/mailman/listinfo/accessd
> > > Website: http://www.databaseadvisors.com
> > >
> >
> >
> > _______________________________________________
> > AccessD mailing list
> > AccessD at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> >
> >
> >
> > _______________________________________________
> > AccessD mailing list
> > AccessD at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> >
>
>
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

More information about the AccessD mailing list