xdccpt
Apr 26 2004, 03:59 PM
How to protect a box from Lsasrv.dll Rpc Remote Exploit?
( beside Microsoft patch ) of course
gsicht
Apr 26 2004, 04:06 PM
deleting Lsasrv.dll is a posibility. but i don't think that it is a good one
why don't you patch your pc?
SuperG
Apr 26 2004, 04:08 PM
download appropriate patch from microsoft.com and :
Windows2000-KB835732-x86-ENU.EXE /passive /quiet /forcerestart
for win2k sp4 en for example
stonebreaker
Apr 26 2004, 04:20 PM
close port 445 139 like this
net stop ipc$
net stop c$
archphase
Apr 26 2004, 04:45 PM
Setup IDS like Snort and filter 445 & 139 or find the shellcode that is using and block packets containing it.
DumpZ
Apr 26 2004, 05:40 PM
| QUOTE (stonebreaker @ Apr 26 2004, 04:20 PM) |
close port 445 139 like this
net stop ipc$
net stop c$ |
net stop [sharename] since when is that a valid command? net stop is used for stopping services.
The syntax should be then (i guess)
net share c$ /delete
net share ipc$ /delete
Hellraiseruk
Apr 26 2004, 07:23 PM
so does this protect stros?
| CODE |
net share c$ /delete
net share ipc$ /delete
|
KuerbY
Apr 26 2004, 08:19 PM
it protects your system till reboot
i would prefer du block port 139 with ipsec, shows in an other thread on the board but the method with the patch is the only true way
tweakz20
Apr 26 2004, 08:29 PM
there could be other shares for your other drives... disabling ALL shares should protect you
stonebreaker
Apr 27 2004, 02:36 AM
oh sorry i have make a mistake hehe
you can do it with this
| CODE |
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo preparing to delete all the default shares.when ready pres any key.
@pause
@echo off
:Rem check parameters if null show usage.
if {%1}=={} goto :Usage
:Rem code start.
echo.
echo ------------------------------------------------------
echo.
echo Now deleting all the default shares.
echo.
net share %1$ /delete
net share %2$ /delete
net share %3$ /delete
net share %4$ /delete
net share %5$ /delete
net share %6$ /delete
net share %7$ /delete
net share %8$ /delete
net share %9$ /delete
net stop Server
net start Server
echo.
echo All the shares have been deleteed
echo.
echo ------------------------------------------------------
echo.
echo Now modify the registry to change the system default properties.
echo.
echo Now creating the registry file
echo Windows Registry Editor Version 5.00> c:\delshare.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg
echo "AutoShareWks"=dword:00000000>> c:\delshare.reg
echo "AutoShareServer"=dword:00000000>> c:\delshare.reg
echo Nowing using the registry file to chang the system default properties.
regedit /s c:\delshare.reg
echo Deleting the temprotarily files.
del c:\delshare.reg
goto :END
:Usage
echo.
echo ------------------------------------------------------
echo.
echo ☆ A example for batch file ☆
echo ☆ [Use batch file to change the sysytem share properties.] ☆
echo.
echo Author:Ex4rch
echo Mail:Ex4rch@hotmail.com QQ:1672602
echo.
echo Error:Not enough parameters
echo.
echo ☆ Please enter the share disk you wanna delete ☆
echo.
echo For instance,to delete the default shares:
echo delshare c d e ipc admin print
echo.
echo If the disklable is not as C: D: E: ,Please chang it youself.
echo.
echo example:
echo If locak disklable are C: D: E: X: Y: Z: ,you should chang the command into :
echo delshare c d e x y z ipc admin print
echo.
echo *** you can delete nine shares once in a useing ***
echo.
echo ------------------------------------------------------
goto :EOF
:END
echo.
echo ------------------------------------------------------
echo.
echo OK,delshare.bat has deleted all the share you assigned.
echo.Any questions ,feel free to mail to Ex4rch@hotmail.com.
echo
echo.
echo ------------------------------------------------------
echo.
:EOF
echo end of the batch file
------------------------ cut here then save as .bat or .cmd file ---------------------------
|
jimmy
Apr 27 2004, 07:46 AM
just run the ms patch, I runned it already for my ssl hacks, so now they are also safe for this exploit ...
Hellraiseruk
Apr 27 2004, 03:04 PM
Nice1 stonebreaker..will try
101
Apr 27 2004, 03:53 PM
-for w2k (quickfix) :
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2 REG_DWORD
RestrictAnonymous=2 will deny any null session attempts on Ipc$
-for 2k (fullfix):
MS04-011 patch...
-for XP (quickfix) :
dunno.., cos Ipc$ cant be denied like on w2k , so if anyone know a quickfix, thx to post it.
-for XP (fullfix):
MS04-011 patch...
nowhere
Apr 27 2004, 04:51 PM
problem with the bat was when u delete all shares the admin know it!
only delete ipc$!
tolf
Apr 28 2004, 01:16 AM
| QUOTE (101 @ Apr 27 2004, 03:53 PM) |
-for w2k (quickfix) :
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2 REG_DWORD
RestrictAnonymous=2 will deny any null session attempts on Ipc$
-for 2k (fullfix):
MS04-011 patch...
-for XP (quickfix) :
dunno.., cos Ipc$ cant be denied like on w2k , so if anyone know a quickfix, thx to post it.
-for XP (fullfix):
MS04-011 patch... |
XP:
STEP 1: Expand the Local (or Domain) Policies node (in the left window pane) and highlight Security Options.
STEP 2: Double click on ''Network Access: Do not allow anonymous enumeration of SAM accounts and shares'' in the right window pane. Select Enabled and click OK.
STEP 3: Double click on 'Network access: Do not allow anonymous enumeration of SAM accounts' in the right window pane. Select Enabled and click OK
WeeDMoNKeY
Apr 28 2004, 04:21 AM
| QUOTE (SuperG @ Apr 26 2004, 04:08 PM) |
download appropriate patch from microsoft.com and :
Windows2000-KB835732-x86-ENU.EXE /passive /quiet /forcerestart
for win2k sp4 en for example |
/passive shows a bar
dont think you need it, ran it on my dads puter /quiet does it
101
Apr 28 2004, 12:55 PM
| QUOTE (tolf @ Apr 28 2004, 01:16 AM) |
XP:
STEP 1: Expand the Local (or Domain) Policies node (in the left window pane) and highlight Security Options.
STEP 2: Double click on ''Network Access: Do not allow anonymous enumeration of SAM accounts and shares'' in the right window pane. Select Enabled and click OK.
STEP 3: Double click on 'Network access: Do not allow anonymous enumeration of SAM accounts' in the right window pane. Select Enabled and click OK |
wrong tolf
what u said = RestrictAnonymous=1
| CODE |
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RestrictAnonymous /t REG_DWORD /d 1
|
& this isnt patching the hole.
tolf
Apr 28 2004, 02:48 PM
| QUOTE (101 @ Apr 28 2004, 12:55 PM) |
| QUOTE (tolf @ Apr 28 2004, 01:16 AM) |
XP:
STEP 1: Expand the Local (or Domain) Policies node (in the left window pane) and highlight Security Options.
STEP 2: Double click on ''Network Access: Do not allow anonymous enumeration of SAM accounts and shares'' in the right window pane. Select Enabled and click OK.
STEP 3: Double click on 'Network access: Do not allow anonymous enumeration of SAM accounts' in the right window pane. Select Enabled and click OK |
wrong tolf
what u said = RestrictAnonymous=1
| CODE |
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RestrictAnonymous /t REG_DWORD /d 1
|
& this isnt patching the hole.
|
woops sorry stand corrected. as above..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
