|
Updating security patch:
|
|
I was helped recently with a patch issue. I had to update by w2k clients to ensure they werent suseptable to attack through nachi/blaster. However I cant find this thread (I used to search on my user name before the board layout change). Could someone provide me with a few hints on how I would check my existing clinets if I had a security patch and if not update with this.
Thanks
Steve.
ps I think the new layout is much better...
|
Radimus
|
(KiX Supporter)
|
2003-11-20 11:50 AM
|
|
|
|
|
Re: Updating security patch:
|
|
untested... and would only work for the newer patches win2k +
$file = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Filename') $path = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Location') $vers = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Version') if @error or getfileversion($path+'\'+$file) < $vers shell '\\server\sertup\folder\patch.exe -q -u -z -n -o' endif
|
Co
|
(MM club member)
|
2003-11-20 12:10 PM
|
|
|
|
|
Re: Updating security patch:
|
|
Tested: Excuse me for the Dutch comment. I'm a bit lazy today .I think you will understand the script without understanding the comment... Code:
; ************************************************************************************************************** ; * * ; * Dit script controleerd of het W32.Blaster virus of varianten hiervan aanwezig is op Windows XP pc's. * ; * Indien dit niet het geval is wordt het alsnog geinstalleerd. * ; * Als het script het virus aantreft wordt het gelogd. * ; * * ; * 14/08/2003 - Co * ; * * ; **************************************************************************************************************
$sys='system32' If @inwin = 2 $sys='system' EndIf
$srv='\\server\log$\MSblaster\'+@wksta+'.log'
$reg = ReadValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update") If @error = 0 Open(1,$srv,5) $logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT '+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10) $actie='Regkey Windows auto update is verwijderd'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $nul=WriteLine(1,$actie) DelValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update") $nul=Close(1) EndIf
If Exist("%windir%\$sys\msblast.exe")<>0 Open(1,$srv,5) $logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10) $actie='msblast.exe is verwijderd'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $nul=WriteLine(1,$actie) Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul" Del "%windir%\$sys\msblast.exe" $nul=Close(1) EndIf
If Exist("%windir%\$sys\teekids.exe")<>0 Open(1,$srv,5) $logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10) $actie='teekids.exe is verwijderd'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $nul=WriteLine(1,$actie) Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul" Del "%windir%\$sys\teekids.exe" $nul=Close(1) EndIf
If Exist("%windir%\$sys\penis32.exe")<>0 Open(1,$srv,5) $logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10) $actie='penis32.exe is verwijderd'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) $nul=WriteLine(1,$actie) Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul" Del "%windir%\$sys\penis32.exe" $nul=Close(1) EndIf
|
Co
|
(MM club member)
|
2003-11-20 12:16 PM
|
|
|
|
|
Re: Updating security patch:
|
|
Sorry, I replied your post with the wrong script. You need this one:
Code:
; ************************************************************************************************************** ; * * ; * Dit script controleerd of Security Patch Q824146 geinstalleerd is op Windows XP pc's. * ; * Indien dit niet het geval is wordt het alsnog geinstalleerd. * ; * Datgene wat het script aantreft wordt gelogd * ; * * ; * 14/08/2003 - Co * ; * * ; ************************************************************************************************************** $srv='\\server\log$\Q824146\'+@wksta+'.txt' If @INWIN=1
Open(1,$srv,5) $logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT Version'+'Mac Address'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(9)+'RPC Version'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata)
Dim $KBPath,$RPCver $KBPath='\\server\patch\Q824146.exe' $RPCver=GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion') Select Case @ProductType='Windows XP Professional' AND NOT KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146')
Shell '%comspec% /c $KBPath' $logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(9)+$RPCver+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) Case @ProductType='Windows XP Professional' AND KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146') $logdata=@Wksta+Chr(9)+'Q824146 is reeds geinstalleerd'+Chr(13)+Chr(10) $nul=WriteLine(1,$logdata) EndSelect EndIf :end $nul=Close(1)
|
Radimus
|
(KiX Supporter)
|
2003-11-20 01:27 PM
|
|
|
|
|
Re: Updating security patch:
|
|
Code:
;************************************ W2K HotFix Updates ***************************************** if @ras=0 $arrkey = arrEnumKey('HKLM\SOFTWARE\Microsoft\Updates\Windows 2000\SP5') $arrdir = arrEnumDir($setup+'\Win2k_Hotfixes','*.exe',1) $reboot = 0 for each $dir in $arrdir $installed = 0 $parsed = split($dir,'-')[1] for each $key in $arrkey if $key = $parsed $installed = 1 endif next if not $installed $=sendmessage(@wksta,"A CRTICAL upgrade is now starting. Your computer will restart on it's own in about 2-3 minutes. Please do not open any programs. There is no need to click the OK button.") ? ' Installing '+$parsed shell '%comspec% /c ' + $dir + ' -q -z -u -n -o' $ = Writeprofilestring($logon+'\inventory\HotFix.log', $parsed, @wksta, @date) $reboot = 1 endif next if $reboot ShutDown ('', 'Updates have been applied that require to computer to restart', 5, 1, 1) quit endif endif
;**************************************************************************************************** function arrenumkey($regkey) dim $Keylist, $c if not keyexist($regkey) exit 87 endif do $Key = $Key+'|'+enumkey($regkey,$c) $c = $c + 1 until @error $arrenumkey = split(substr($Key,2,len($Key)-2),'|') Endfunction ;**************************************************************************************************** Function WshPipe($ShellCMD, OPTIONAL $NoEcho) Dim $oExec, $Output $oExec = CreateObject("WScript.Shell").Exec($ShellCMD) If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf While Not $oExec.Status Loop $Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll If Not $NoEcho $Output Endif $WshPipe=Split($Output,CHR(10)) Exit($oExec.ExitCode) EndFunction ;**************************************************************************************************** Function arrEnumdir($directory, optional $mask, Optional $Subdir) if $subdir $subdir='/s' endif if exist($directory) $E = WshPipe('%comspec% /c dir "$directory\$mask" /b $subdir',1) redim preserve $e[ubound($e)-1] $arrEnumdir=split(join($e,'|'),chr(13)+'|') else exit 87 endif Endfunction ;****************************************************************************************************
|
MightyR1
|
(MM club member)
|
2003-11-20 03:48 PM
|
|
|
|
|
Re: Updating security patch:
|
|
Long Lines detected!!!
Call the police...
|
|
Re: Updating security patch:
|
|
Thanks for the help. Radimus if my clients are running a preivious service pack, for example SP4 (2000) will this script run? Also, if I want to run the security updates, eg q823980i do I replace the line "\Win2k_Hotfixes','*.exe'" with my own path...
Thankyou.
|
Co
|
(MM club member)
|
2003-11-20 04:35 PM
|
|
|
|
|
Re: Updating security patch:
|
|
OK, I confess, I'm guilty
|
|
Re: Updating security patch:
|
|
By the way Co, one of your files is called 'penis' is this deliberate.
|
Radimus
|
(KiX Supporter)
|
2003-11-20 05:00 PM
|
|
|
|
|
Re: Updating security patch:
|
|
of course.. if you look in that reg key all the new hotfixes go into SP5... until there is a SP5
|
Co
|
(MM club member)
|
2003-11-21 10:36 AM
|
|
|
|
|
Re: Updating security patch:
|
|
LOL Quote:
By the way Co, one of your files is called 'penis' is this deliberate.
Quote:
..On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe or penis32.exe in the Windows system folder..
See Sophos Website
|