RE: MS-Blast scripts

• From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Aug 2003 13:16:54 -0500

I am still confused too.
I have not applied any of these scripts, and am not infected on the
client side or the server side, yet I cant connect to the exchange
server.
I can not use OWA for my salesmen because they need access to their mail
when they are not connected, and I cant use POP3 because we use a
exchange enabled fax solution for them to send outgoing faxes while on
the road, so we have to publish the exchange server.

We had Dan Bartley tell us he was having the same problem:


________________________________________________________________________
_______________________________________________
Interestingly enough, I am having the exact same problem. It started
after applying the Win2k3 version of the patch.

Best Regards, 

Dan Bartley
________________________________________________________________________
_________________________________________________


So what is the deal?
Tom, can you connect to Exchange through ISA from the internet since
these MS fixes have come about?
Is it because my exchange server is having to drop so much worm related
traffic that my users time out trying?

I am not the most versed on net mon traffic analysis and all.
Is there a good site on the how to's of net mon techniques?

Thanks

Jeff Sloan 
Network Administrator 
Cross Oil Refining & Marketing, Inc. 
484 E. 6th St. 
Smackover, AR 71762 

Phone 870-864-8688
Fax     870-864-8689 
Cell     870-866-9941 



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, August 14, 2003 11:35 AM
To: ISALists
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


Hi Jim,

OK, so its correct that the RPC filter *does* protect outbound. <sigh of
relief>

I understand re: LCD.

I tried that approach. I disabled all my protocol and Site and Content
Rules, but my mail got stuck in the queue. I had to enable them again to
send this. :-)

Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Thursday, August 14, 2003 11:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


That's the bad part; I have to assume the "least capable" when I write
these scripts. There are many folks who choose not to use FP1 and all
its kewl toys. ..for that matter, I think if you disable all outbound
policies, then you'd never infect anyone with anything (except maybe the
occasional cold).

;-)

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 14, 2003 07:57
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


Hi Jim,

Hmmmm. I had the impression that if you created a outbound RPC Protocol
Rule, that the updated RPC filter included in FP1 created a special RPC
Protocol Definition that prevented the attack. Like the FTP filter's
protocol definitions are tied to the FTP Access application filter, I
thought the RPC Protocol Definition was tied to the RPC filter and
therefore denuded the exploit.

Now I'm getting really confused!

Given the number of exploits carried out on TCP 80, TCP 25 and TCP 110,
do you think I should shut those ports too? ;-)
(www.tacteam.net/openport.htm)

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp




-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, August 14, 2003 9:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


Yep.but if it's a choice between outbound RPC and litigation because you
sourced an infection elsewhere, it's OWA time...

Unfortunately, the RPC filter only acts on inbound RPC.
<sigh>

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 14 Aug 2003 01:54:44 -0500
 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org


Hi Jim,

One of the actions of the script blocks outbound access to TCP 135.
Won't this disable outbound Exchange RPC? Since we have the RPC filter,
why do that? Won't it whack the utility of outbound Exchange Server
access?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, August 14, 2003 1:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] MS-Blast scripts


http://www.ISAserver.org


OK; I finally finished them:
http://isatools.org/msblast.zip

It contains two scripts:
- block_msblast.vbs; this will prevent an internal infection from
spreading outside your walls
    it likes all Enterprise variations and Standalone environments
equally
- fix_msblast.vbs; this will remove the little bugger and even validate
your hotfix instalation (in the registry, anyway)

.take a look at the logic for the blocker script; you'll understand why
scripting rules for Enterprise environments can get so hairy.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

• » MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---