how do u check if a system is patched against the blaster exploit?

blaster is not an exploit. it is the worm that took advantage of the old rpc exploit. Locally you can probably check with the first dcom(rpc) exploit, quite easily either with scanners or by trying to run the exploit itself, which still probably lays around this forum. you can also try rpc2 and the new messenger exploit as well. Also doing it remotely is a little more tidious because most isp's have blocked the rpc and netbios ports. so you have to find isp's that don't block it which is a matter of luck.

Saetji,

I had a lot of luck using Retina's free scanner at http://www.eeye.com/html/Research/Tools/Do...e=RetinaRPCDCOM

Hope that helps...........


ICEBUGZ

thx for the scanner

saetji: Use the Windows Update Utility (%SystemRoot%\system32\wupdmgr.exe) to search for the latest patches (if you have access... if not, there are many scanners for the RPC exploits...)

I think RPC is more than dead because evry stupid admin should know about that hole and a lot of isp providers block that port .

that is true, but then again rpc3 was quite fun against someone during a lan day (you know who you are)

you wont find any good servers running with unpatched windows...

for sure... more then dead! try focussing on other xploits

buty

I wanna kill the (filtered) who designed blaster... bastard (filtered) it up for everyone.

heh true quantum. I know I wont find any - but im just curious I try to understand the stuff rather than just use it and knowing proggys to help that is always good

the best way to check if a system is patched against the blaster is in my opinion: plug in the network cable
after reinstalltion of win2k, i plugged in my network card, and after 5 seconds, i got the worm :/ didn't have any time to patch my machine against it, this worm is really hardcore

use afirewall

no no. the rpc/dcom exploit is far from dead. Still many vulnerable hosts. Also, everytime a fresh new install of Windows XP hits the internet. It is vulnerable

well the best way(for me)to check it and ofcourse disable it without ms patch is grc.com methoD!goto http://grc.com/dcom/ and try this.They also have cool programs like disable the messenger and that stuff.Give them a try and you will not lose!

i don`t agree if you say every new system is vulnerable. Truly it is but most server admins i know first install all patches from MS and then connect to the internet. But eventually you`re lucky and find a gut vulnerable server!