David- There is no reliable way to detect if a computer is infected with blaster without logging into it and looking for the reg key or the executable. The backdoors (tftp and 4444) are not permanent. ISS X-Force released a great scanner for the vulnerability itself. It does two different checks to see if a box is patched, and it will detect the difference between a machine that has DCOM disabled or if it is patched. It's available here: http://www.iss.net/support/product_utilities/ms03-026rpc.php Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: David A. Ulevitch [mailto:davidu@everydns.net] Sent: Friday, August 15, 2003 4:34 PM To: nanog@merit.edu Subject: MSBlast CLI scanner (unix)? Nanog'ers, I've seen a couple of the windows-based MSBlast scanners but I'm looking for a unix tool to simply plug in an IP/netmask and have it scan via the command line and return the status of the vulnerability (patched, unaffected, exploited, etc). Has anyone found or heard of one that runs on *nix or have any other suggestions? thanks, davidu ---------------------------------------------------- David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis ----------------------------------------------------