Page 1 of 1 1
Topic Options
#108465 - 2003-11-20 11:36 AM Updating security patch:
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
I was helped recently with a patch issue. I had to update by w2k clients to ensure they werent suseptable to attack through nachi/blaster. However I cant find this thread (I used to search on my user name before the board layout change). Could someone provide me with a few hints on how I would check my existing clinets if I had a security patch and if not update with this.

Thanks

Steve.

ps I think the new layout is much better...

_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#108466 - 2003-11-20 11:50 AM Re: Updating security patch:
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
untested... and would only work for the newer patches win2k +



$file = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Filename')
$path = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Location')
$vers = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Version')
if @error or getfileversion($path+'\'+$file) < $vers
shell '\\server\sertup\folder\patch.exe -q -u -z -n -o'
endif

_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#108467 - 2003-11-20 12:10 PM Re: Updating security patch:
Co Offline
MM club member
***

Registered: 2000-11-20
Posts: 1341
Loc: NL
Tested: Excuse me for the Dutch comment. I'm a bit lazy today .I think you will understand the script without understanding the comment...

Code:
; **************************************************************************************************************
; * *
; * Dit script controleerd of het W32.Blaster virus of varianten hiervan aanwezig is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Als het script het virus aantreft wordt het gelogd. *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************



$sys='system32'
If @inwin = 2
$sys='system'
EndIf

$srv='\\server\log$\MSblaster\'+@wksta+'.log'


$reg = ReadValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")
If @error = 0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT '+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='Regkey Windows auto update is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
DelValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")

$nul=Close(1)
EndIf

If Exist("%windir%\$sys\msblast.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='msblast.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\msblast.exe"

$nul=Close(1)
EndIf

If Exist("%windir%\$sys\teekids.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='teekids.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\teekids.exe"

$nul=Close(1)
EndIf

If Exist("%windir%\$sys\penis32.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='penis32.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\penis32.exe"

$nul=Close(1)
EndIf

_________________________
Co


Top
#108468 - 2003-11-20 12:16 PM Re: Updating security patch:
Co Offline
MM club member
***

Registered: 2000-11-20
Posts: 1341
Loc: NL
Sorry, I replied your post with the wrong script. You need this one:

Code:
 
; **************************************************************************************************************
; * *
; * Dit script controleerd of Security Patch Q824146 geinstalleerd is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Datgene wat het script aantreft wordt gelogd *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************

$srv='\\server\log$\Q824146\'+@wksta+'.txt'
If @INWIN=1

Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT Version'+'Mac Address'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(9)+'RPC Version'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)

Dim $KBPath,$RPCver
$KBPath='\\server\patch\Q824146.exe'
$RPCver=GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion')

Select

Case @ProductType='Windows XP Professional' AND NOT KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146')

Shell '%comspec% /c $KBPath'
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(9)+$RPCver+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)


Case @ProductType='Windows XP Professional' AND KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146')
$logdata=@Wksta+Chr(9)+'Q824146 is reeds geinstalleerd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)



EndSelect
EndIf
:end
$nul=Close(1)


_________________________
Co


Top
#108469 - 2003-11-20 01:27 PM Re: Updating security patch:
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
Code:
 
;************************************ W2K HotFix Updates *****************************************
if @ras=0
$arrkey = arrEnumKey('HKLM\SOFTWARE\Microsoft\Updates\Windows 2000\SP5')
$arrdir = arrEnumDir($setup+'\Win2k_Hotfixes','*.exe',1)
$reboot = 0
for each $dir in $arrdir
$installed = 0
$parsed = split($dir,'-')[1]
for each $key in $arrkey
if $key = $parsed $installed = 1 endif
next
if not $installed
$=sendmessage(@wksta,"A CRTICAL upgrade is now starting. Your computer will restart on it's own in about 2-3 minutes. Please do not open any programs. There is no need to click the OK button.")
? ' Installing '+$parsed
shell '%comspec% /c ' + $dir + ' -q -z -u -n -o'
$ = Writeprofilestring($logon+'\inventory\HotFix.log', $parsed, @wksta, @date)
$reboot = 1
endif
next
if $reboot
ShutDown ('', 'Updates have been applied that require to computer to restart', 5, 1, 1)
quit
endif
endif

;****************************************************************************************************
function arrenumkey($regkey)
dim $Keylist, $c
if not keyexist($regkey) exit 87 endif
do
$Key = $Key+'|'+enumkey($regkey,$c)
$c = $c + 1
until @error
$arrenumkey = split(substr($Key,2,len($Key)-2),'|')
Endfunction
;****************************************************************************************************
Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
Dim $oExec, $Output
$oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
While Not $oExec.Status Loop
$Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
If Not $NoEcho $Output Endif
$WshPipe=Split($Output,CHR(10))
Exit($oExec.ExitCode)
EndFunction
;****************************************************************************************************
Function arrEnumdir($directory, optional $mask, Optional $Subdir)
if $subdir $subdir='/s' endif
if exist($directory)
$E = WshPipe('%comspec% /c dir "$directory\$mask" /b $subdir',1)
redim preserve $e[ubound($e)-1]
$arrEnumdir=split(join($e,'|'),chr(13)+'|')
else
exit 87
endif
Endfunction
;****************************************************************************************************



_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#108470 - 2003-11-20 03:48 PM Re: Updating security patch:
MightyR1 Offline
MM club member
*****

Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands
Long Lines detected!!!

Call the police...


_________________________
Greetz,
Patrick Rutten

- We'll either find a way or make one...
- Knowledge is power; knowing how to find it is more powerful...
- Problems don't exist; they are challenges...

Top
#108471 - 2003-11-20 04:28 PM Re: Updating security patch:
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
Thanks for the help. Radimus if my clients are running a preivious service pack, for example SP4 (2000) will this script run? Also, if I want to run the security updates, eg q823980i do I replace the line "\Win2k_Hotfixes','*.exe'" with my own path...

Thankyou.
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#108472 - 2003-11-20 04:35 PM Re: Updating security patch:
Co Offline
MM club member
***

Registered: 2000-11-20
Posts: 1341
Loc: NL
OK, I confess, I'm guilty
_________________________
Co


Top
#108473 - 2003-11-20 04:54 PM Re: Updating security patch:
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
By the way Co, one of your files is called 'penis' is this deliberate.



Edited by Stephen Wintle (2003-11-20 04:54 PM)
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#108474 - 2003-11-20 05:00 PM Re: Updating security patch:
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
of course.. if you look in that reg key all the new hotfixes go into SP5... until there is a SP5
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#108475 - 2003-11-21 10:36 AM Re: Updating security patch:
Co Offline
MM club member
***

Registered: 2000-11-20
Posts: 1341
Loc: NL
LOL
Quote:

By the way Co, one of your files is called 'penis' is this deliberate.



Quote:

..On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe or penis32.exe in the Windows system folder..



See Sophos Website
_________________________
Co


Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.061 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org