[unisog] scanners for the lastest MS vulnerabilities?

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Wed Oct 22 14:56:24 GMT 2003


We had good success with netsend messages to reach people that were 
otherwise ignoring us.  It got us about a 50% success rate in the 
Residential Network and in parts of the faculty/staff network without 
dedicated admins.

We had 3,000 computers vulnerable to MS-039 remaining after "normal" 
communication and alert methods.  Sending netsends prompted about 1,500 of 
those users to download and install the patch on their own.  We only sent 
netsends to IPs that scanned as vulnerable.

For an example of the netsend messages we sent, follow this link (it will 
redirect you):

http://security.uconn.edu/selfscan

The page we sent users to was basically rpcscan on a stand-alone website. 
When they followed the selfscan link they would be scanned and then 
prompted to download the correct patch, or told they were properly 
patched.  I think I can share the code if people were interested in our 
selfscan.

We used this method for hosts vulnerable to RPC-etc, and previously for 
hosts infected with Welchia and spewing ICMP.  In both cases we could 
reach a few thousand people in a few hours, which saved a lot of time that 
we would have spent tracing jacks and alerting admins.

Phil

PS - We are considering our rpcscan options.  At some point tying 
netregscan to something more flexible (like Nessus) may be easier, but as 
long as we can update the scanner I think we will keep doing it.  We are 
looking into the Messenger vulnerability now.

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Anderson Johnston <andy at umbc.edu>
10/21/2003 04:06 PM

 
        To:     Brian Reilly <reillyb at georgetown.edu>
        cc:     Russell Fulton <r.fulton at auckland.ac.nz>, <unisog at sans.org>
        Subject:        Re: [unisog] scanners for the lastest MS vulnerabilities?


>
> http://www.iss.net/support/product_utilities/ms03-043/
>

The pop-up option is cute, but we've got users who are half-paralyzed with
fear of their own PCs already.  I don't want to be prying them out of
their desk drawers after strange warnings about evil hackers start popping
up on their screens.

                                 - andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949 
 **
** Manager of IT Security                 * PGP key:(afj2002) 
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 
56 **
------------------------------------------------------------------------------






More information about the unisog mailing list