RE: RED-CODE WORM PATCH possibly not working ????

From: Steve Halford (shalfordat_private)
Date: Fri Jul 20 2001 - 15:10:41 PDT

Next message: Marc Maiffret: "Tool released to scan for possible CodeRed infected servers"

Previous message: Kuo, Jimmy: "RE: "Code Red" worm - there MUST be at least two versions."
In reply to: tigerblue: "RED-CODE WORM PATCH possibly not working ????"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday, July 20, 2001 5:36 tigerblue wrote
>

>
> i have got some IIS4-and some IIS5-servers. I was checking the logfiles =
> to get a short info about the red-code worm. The IIS4-servers were =
> respondig to the get default.ida with a http 40x code, but the IIS5 on =
> w2k machines were all responding with an http 200 code. Hmmm strange =
> =B4cause all the servers have been patched in the last month against =
> this idq-vulnerability (MS01-033).
>
> I=B4m really a wondering, is it normal, that the w2k servers reponding =
> with an 200-Code or is mabe the patch not working at all... does anybody =
> had this effect ????

The 404 code will return only when you have ida mapping disabled. The patch
fixes the buffer overrun problem; it does not disable the mapping. To test
for whether the patch is applied, you should look at the file date of the
idq.dll; if it is 5/24/2001, the patch has been applied.


Steve Halford
shalfordat_private

Next message: Marc Maiffret: "Tool released to scan for possible CodeRed infected servers"
Previous message: Kuo, Jimmy: "RE: "Code Red" worm - there MUST be at least two versions."
In reply to: tigerblue: "RED-CODE WORM PATCH possibly not working ????"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 15:29:28 PDT