| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-11-20 11:36 AM |
Updating security patch:
|
I was helped recently with a patch issue. I had to update by w2k clients to ensure they werent suseptable to attack through nachi/blaster. However I cant find this thread (I used to search on my user name before the board layout change). Could someone provide me with a few hints on how I would check my existing clinets if I had a security patch and if not update with this.
Thanks
Steve.
ps I think the new layout is much better...
| Radimus |
| (KiX Supporter) |
| 2003-11-20 11:50 AM |
|
Re: Updating security patch:
|
untested... and would only work for the newer patches win2k +
$file = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Filename')
$path = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Location')
$vers = readvalue('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist\0','Version')
if @error or getfileversion($path+'\'+$file) < $vers
shell '\\server\sertup\folder\patch.exe -q -u -z -n -o'
endif
| Co |
| (MM club member) |
| 2003-11-20 12:10 PM |
|
Re: Updating security patch:
|
Tested: Excuse me for the Dutch comment. I'm a bit lazy today
.I think you will understand the script without understanding the comment... 
Code:
; **************************************************************************************************************
; * *
; * Dit script controleerd of het W32.Blaster virus of varianten hiervan aanwezig is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Als het script het virus aantreft wordt het gelogd. *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************
$sys='system32'
If @inwin = 2
$sys='system'
EndIf
$srv='\\server\log$\MSblaster\'+@wksta+'.log'
$reg = ReadValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")
If @error = 0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT '+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='Regkey Windows auto update is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
DelValue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")
$nul=Close(1)
EndIf
If Exist("%windir%\$sys\msblast.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='msblast.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\msblast.exe"
$nul=Close(1)
EndIf
If Exist("%windir%\$sys\teekids.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='teekids.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\teekids.exe"
$nul=Close(1)
EndIf
If Exist("%windir%\$sys\penis32.exe")<>0
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='penis32.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=WriteLine(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\location\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
Del "%windir%\$sys\penis32.exe"
$nul=Close(1)
EndIf
| Co |
| (MM club member) |
| 2003-11-20 12:16 PM |
|
|
|
Re: Updating security patch:
|
Sorry, I replied your post with the wrong script. You need this one:
Code:
; **************************************************************************************************************
; * *
; * Dit script controleerd of Security Patch Q824146 geinstalleerd is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Datgene wat het script aantreft wordt gelogd *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************
$srv='\\server\log$\Q824146\'+@wksta+'.txt'
If @INWIN=1
Open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT Version'+'Mac Address'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(9)+'RPC Version'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
Dim $KBPath,$RPCver
$KBPath='\\server\patch\Q824146.exe'
$RPCver=GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion')
Select
Case @ProductType='Windows XP Professional' AND NOT KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146')
Shell '%comspec% /c $KBPath'
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(9)+$RPCver+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
Case @ProductType='Windows XP Professional' AND KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146')
$logdata=@Wksta+Chr(9)+'Q824146 is reeds geinstalleerd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
EndSelect
EndIf
:end
$nul=Close(1)
| Radimus |
| (KiX Supporter) |
| 2003-11-20 01:27 PM |
|
|
|
Re: Updating security patch:
|
Code:
;************************************ W2K HotFix Updates *****************************************
if @ras=0
$arrkey = arrEnumKey('HKLM\SOFTWARE\Microsoft\Updates\Windows 2000\SP5')
$arrdir = arrEnumDir($setup+'\Win2k_Hotfixes','*.exe',1)
$reboot = 0
for each $dir in $arrdir
$installed = 0
$parsed = split($dir,'-')[1]
for each $key in $arrkey
if $key = $parsed $installed = 1 endif
next
if not $installed
$=sendmessage(@wksta,"A CRTICAL upgrade is now starting. Your computer will restart on it's own in about 2-3 minutes. Please do not open any programs. There is no need to click the OK button.")
? ' Installing '+$parsed
shell '%comspec% /c ' + $dir + ' -q -z -u -n -o'
$ = Writeprofilestring($logon+'\inventory\HotFix.log', $parsed, @wksta, @date)
$reboot = 1
endif
next
if $reboot
ShutDown ('', 'Updates have been applied that require to computer to restart', 5, 1, 1)
quit
endif
endif
;****************************************************************************************************
function arrenumkey($regkey)
dim $Keylist, $c
if not keyexist($regkey) exit 87 endif
do
$Key = $Key+'|'+enumkey($regkey,$c)
$c = $c + 1
until @error
$arrenumkey = split(substr($Key,2,len($Key)-2),'|')
Endfunction
;****************************************************************************************************
Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
Dim $oExec, $Output
$oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
While Not $oExec.Status Loop
$Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
If Not $NoEcho $Output Endif
$WshPipe=Split($Output,CHR(10))
Exit($oExec.ExitCode)
EndFunction
;****************************************************************************************************
Function arrEnumdir($directory, optional $mask, Optional $Subdir)
if $subdir $subdir='/s' endif
if exist($directory)
$E = WshPipe('%comspec% /c dir "$directory\$mask" /b $subdir',1)
redim preserve $e[ubound($e)-1]
$arrEnumdir=split(join($e,'|'),chr(13)+'|')
else
exit 87
endif
Endfunction
;****************************************************************************************************
| MightyR1 |
| (MM club member) |
| 2003-11-20 03:48 PM |
|
Re: Updating security patch:
|
Long Lines detected!!!
Call the police...
| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-11-20 04:28 PM |
|
Re: Updating security patch:
|
Thanks for the help. Radimus if my clients are running a preivious service pack, for example SP4 (2000) will this script run? Also, if I want to run the security updates, eg q823980i do I replace the line "\Win2k_Hotfixes','*.exe'" with my own path...
Thankyou.
| Co |
| (MM club member) |
| 2003-11-20 04:35 PM |
|
|
|
Re: Updating security patch:
|
OK, I confess, I'm guilty
| Stephen Wintle |
| (Seasoned Scripter) |
| 2003-11-20 04:54 PM |
|
Re: Updating security patch:
|
By the way Co, one of your files is called 'penis' is this deliberate.
| Radimus |
| (KiX Supporter) |
| 2003-11-20 05:00 PM |
|
|
|
Re: Updating security patch:
|
of course.. if you look in that reg key all the new hotfixes go into SP5... until there is a SP5
| Co |
| (MM club member) |
| 2003-11-21 10:36 AM |
|
|
Re: Updating security patch:
|
LOL
Quote:
By the way Co, one of your files is called 'penis' is this deliberate.
Quote:
..On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe or penis32.exe in the Windows system folder..
See Sophos Website