[21756] in bugtraq
RE: RED-CODE WORM PATCH possibly not working ????
daemon@ATHENA.MIT.EDU (Steve Halford)
Fri Jul 20 18:30:45 2001
From: "Steve Halford" <shalford@infoarc.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 20 Jul 2001 15:10:41 -0700
Message-ID: <KKEBJNEGKENANCGECLIFOEEFCCAA.shalford@infoarc.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <000901c11118$915f8c50$e62a04c3@sarafina>
On Friday, July 20, 2001 5:36 tigerblue wrote
>
>
> i have got some IIS4-and some IIS5-servers. I was checking the logfiles =
> to get a short info about the red-code worm. The IIS4-servers were =
> respondig to the get default.ida with a http 40x code, but the IIS5 on =
> w2k machines were all responding with an http 200 code. Hmmm strange =
> =B4cause all the servers have been patched in the last month against =
> this idq-vulnerability (MS01-033).
>
> I=B4m really a wondering, is it normal, that the w2k servers reponding =
> with an 200-Code or is mabe the patch not working at all... does anybody =
> had this effect ????
The 404 code will return only when you have ida mapping disabled. The patch
fixes the buffer overrun problem; it does not disable the mapping. To test
for whether the patch is applied, you should look at the file date of the
idq.dll; if it is 5/24/2001, the patch has been applied.
Steve Halford
shalford@infoarc.com
