【軟體】M$ 的掃瞄你的疾風病毒的修補程式



贊助商連結


ranger
2003-08-20, 10:07 AM
8/17 微軟剛發表 MS03-026 Scanning Tool掃瞄你的疾風病毒的修補程式是否安裝好

這支程式可掃瞄子網域中的所有電腦 建議網管人員使用

Last Reviewed: 8/17/2003
Keywords: kbhowto KB826369

最後更新 2003年8月17日


連結
http://download.microsoft.com/download/7/f/7/7f7f423a-cd47-4c43-bebf-1a18e79bcf72/DCOM-KB826369-X86-ENU.exe
說明
How to Use the KB 823980 Scanning Tool to Identify Host Computers That Do Not Have the 823980 Security Patch (MS03-026) Installed
The information in this article applies to:
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Enterprise Edition for the Workstation
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP 64-Bit Edition Version 2002
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows NT Workstation 4.0

SUMMARY
Microsoft has released a KB 823980 scanning tool (KB823980scan.exe) that network administrators can use to identify host computers on their network that do not have the 823980 security patch (MS03-026) installed. For additional information about the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:
823980 MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution

For additional information about a new worm virus that tries to exploit the DCOM RPC vulnerability that is fixed by the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:
826955 Virus Alert About the Blaster Worm and Its Variants

For additional information about how network administrators can use Windows Management Instrumentation scripting to install the 823980 security patch (MS03-026) on unpatched computers in their Windows NT, Windows 2000, or Windows Server 2003 domain, click the following article number to view the article in the Microsoft Knowledge Base:
827227 How to Use a Visual Basic Script to Install the 823980 Security Patch (MS03-026) on Remote Host Computers

MORE INFORMATION
The KB823980scan.exe tool can scan remote host computers without requiring authentication (that is, you do not have to supply valid credentials on the remote host computer). Use of the KB823980scan.exe tool does not affect the stability of the target operating system that is scanned.

You can use the KB823980scan.exe tool from a Windows Server 2003-based, Windows XP-based, or Windows 2000-based computer to scan your network to identify host computers that do not have the 823980 security patch (MS03-026) installed.
Download Information
To download the KB823980scan.exe tool, visit the following Microsoft Web site, and then download the Dcom-kb826369-x86-enu.exe installation package:
http://microsoft.com/downloads/deta...;displaylang=en

To install the KB823980scan.exe tool, double-click the DCOM-KB826369-X86-ENU.exe installation package that you downloaded. The tool is a command-line utility that is installed in the KB823980Scan subfolder of the Program Files folder or the Program Files (x86) folder for 64-bit versions of Windows XP or Windows Server 2003.
Usage
When you run the KB823980scan.exe tool with the /? switch (or with no switches), the following information is shown:Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

The purpose of KB823980Scan.exe is to audit Windows systems over the network
for KB823980 patch compliance. KB823980Scan.exe allows
administrators to quickly scan enterprise networks for unpatched systems.

Usage: KB823980Scan.exe [/?] [/i:input_file] [/l[:log_file]]
[/out_file] [/t:timeout] [/v] target ...

Targets can take any of the following forms:

a.b.c.d - IP address
a.b.c.d-i.j.k.l - IP address range
a.b.c.d/mask - IP address with CIDR mask
host - unqualified hostname
host.domain.com - fully-qualified domain name
localhost - check local machine

Targets can be specified on the command line & in user-specified input files.

KB823980Scan.exe maintains an informational log in the current directory.
The log files will take the form KB823980Scan_YYMMDD[a-z][a-z].log, where YY
is the two digit year, MM is the two digit month, and DD is the two digit day.
The [a-z][a-z] will be appended to the log file name as additional scans are
completed on the same day.

KB823980Scan.exe will create a list of vulnerable systems (unpatched as well
as those with KB823980 installed) in the current working directory. This file
should be fed as input to the autopatching script that you write. This file
will be named "Vulnerable.txt" by default. Its name can be changed with the
/o switch.

KB823980Scan.exe has a default timeout of 5 seconds, which should be fine
for most networks. If your network is slow or has IPSec enabled then you
might want to increase the timeout to 10 seconds or more.

Sample Output
C:\>kb823980scan 10.1.1.1/24

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 10.1.1.0 - 10.1.1.255
10.1.1.1: connection to tcp/135 refused
10.1.1.2: unpatched
10.1.1.3: host unreachable
10.1.1.4: patched with KB823980
10.1.1.5: patched with KB823980
10.1.1.6: patched with KB823980
10.1.1.7: connection to tcp/135 refused
10.1.1.8: unpatched
10.1.1.9: patched with KB823980
.
.
.
.
<snip>

<-> Scan completed

Statistics:

Patched with KB823980 = 40
Unpatched = 11
TOTAL HOSTS SCANNED = 51

Needs Investigation = 0
Connection refused = 3
Host unreachable = 202
Errors = 0
TOTAL HOSTS SKIPPED = 205

TOTAL ADDRESSES SCANNED = 256

Explanation of Error Messages, Status, and Statistics
A "host unreachable" error message indicates that no host is present at the specified Internet Protocol (IP) address. Additionally, a firewall that black holes packets, such as Internet Connection Firewall (ICF), also returns a "host unreachable" error message.
A "connection to tcp/135 refused" error message indicates either that no service is listening on TCP port 135 or that TCP port 135 is being filtered (either by the Windows TCP/IP stack or by a firewall or a router).
An "unpatched" status indicates that the host that was scanned is a Windows host but does not have the 823980 security patch (MS03-026)installed.
The "Needs Investigation" counter indicates that some Internet protocols did not respond to a connection attempt on TCP port 135 and therefore could not be scanned for the security patches.
Log Files That the KB823980scan.exe Tool Creates
KB823980Scan_YYMMDD[a-z][a-z].log: This log file is for informational purposes.
Vulnerable.txt: This log file contains a list of the IP addresses for computers on your network that do not have the 823980 (MS03-026) security patch installed. You can use the Vulnerable.txt log file without modification as the input file (Ipfile.txt) for the Patchinstall.vbs script that is described in Microsoft Knowledge Base article 827227. Note that the Vulnerable.txt log file is overwritten every time that you run KB823980scan.exe. For the sample output that is described in the "Sample Output" section in this article, the Vulnerable.txt log file would contain the following entries:
10.1.1.2
10.1.1.8

Known Issues
You cannot use double-byte character set (DBCS) characters in the path for the input file, the output file, the log file, or the host computer when you use the KB823980scan.exe tool.
You cannot run the KB823980scan.exe tool on a computer that is running Windows NT 4.0, Microsoft Windows 98, or Microsoft Windows Millennium Edition. However, you can run this tool from Windows Server 2003-based, Windows XP-based, or Windows 2000-based computers to scan a remote host computer that is running Windows NT 4.0.

贊助商連結


billyao
2003-08-20, 12:24 PM
閱讀之後,感謝ranger的提供,同時我也順便來補充一下

KB823980Scan.exe 是一個來自微軟所提供的工具,主要是提供給網路管理者使用,藉由這個工具的安裝,執行它配合一些參數,可以掃瞄整個區域網路的遠端電腦,是否有更新疾風病毒的修補程式,這對管理數百台的管理者而言,是一個非常好的掃瞄工具。當然,一般的使用者,也可以藉由這個工具,來檢查自己的家庭網路系統,甚至只有一台電腦也沒關係,因為它也可以從事自己掃瞄,程式所在的這部電腦上,或著是你的ADSL設備與IP分享器。以下是該工具的下載與使用資訊:

■檔案下載: http://download.microsoft.com/download/7/f/7/7f7f423a-cd47-4c43-bebf-1a18e79bcf72/DCOM-KB826369-X86-ENU.exe

■檔案的安裝:

1.下載之後,會得到一個解壓縮檔,執行之後它會自我解壓縮,一般是被放在 C:\Program Files\KB823980Scan\目錄之下。

2.基於使用上的方便,建議將其複製到一個較常使用的目錄區域,例如My Document 或著是Tools,如果檔案名稱覺得過於冗長,也可將其更名為較短的檔案名稱,以方便文字的輸入,因為這個檔案是必須在命令列(Command-Line)之下執行的,依照我個人自己本身而言,我是將檔案放在 c:\download目錄裡。

3.安裝完畢之後,接著進入Command-Line模式,請點選「開始」工作列的「執行」,出現一個對話視窗,如果作業系統是Windows NT/2000/2003/XP,請輸入"CMD"這三個英文字母,至於Windows 9x/Me作業系統,應該是輸入"command",因為手邊沒有這類的系統,是否可以在Windows 9x/Me這樣的作業系統執行,那就不得而知了。

4.輸入"CMD"之後,接著會出現DOS 模擬視窗,並將目錄切換至疾風病毒掃瞄工具所在的目錄,例如在C:>命令提示,下一個指令" CD c:\download " ,前面的命令CD,代表切換目錄,跟隨其後的文字,則是目錄名稱。

5.指令格式說明

指令名稱: KB823980Scan.exe
格 式: KB823980Scan.exe [/?] [/i:input_file] [/l[:log_file]] [/out_file] [/t:timeout] [/v] target ...
選項說明: [/?] 求助
[/i:input_file] 載入一個使用者定義檔案
[/l[:log_file]] 掃瞄結果輸出至一個記錄檔
[/out_file] 輸出一個使用者定義檔案
[/t:timeout] 檢查(連線遠端)時間限制
[/v]
target ... 目的位址

目的位址可以是以下的格式:

a.b.c.d - IP address
a.b.c.d-i.j.k.l - IP address range
a.b.c.d/mask - IP address with CIDR mask
host - unqualified hostname
host.domain.com - fully-qualified domain name
localhost - check local machine

範例

KB823980Scan.exe 192.168.0.1
KB823980Scan.exe 192.168.0.1 - 192.168.0.255
KB823980Scan.exe 192.168.0.1/255.255.255.0
KB823980Scan.exe mis
KB823980Scan.exe mis.microsoft.com
KB823980Scan.exe localhost

輸出果範例

E:\>scan /v 192.168.0.3

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 192.168.0.3
192.168.0.3: patched with KB823980

<-> Scan completed

Statistics:

Patched with KB823980 = 1
Unpatched = 0
TOTAL HOSTS SCANNED = 1

Needs Investigation = 0
Connection refused = 0
Host unreachable = 0
Errors = 0
TOTAL HOSTS SKIPPED = 0

TOTAL ADDRESSES SCANNED = 1

如果嫌KB823980Scan.exe檔名太長,可以更名為 scan.exe,指令是 REN KB823980Scan.exe scan.exe

微軟網站 Blaster Worm 消息:http://www.microsoft.com/taiwan/security/incident/blast.asp
趨勢網站 Blaster Worm 消息:http://www.trend.com.tw
賽門鐵克Blaster Worm 消息:http://www.sysmantec.com.tw (網路安全診斷室,可做線上掃瞄清毒)
趨勢線上掃瞄清毒網站: http://housecall.trendmicro.com/ (國外免費的網站)