RE: RED-CODE WORM PATCH possibly not working ????

["Steve Halford" <shalford () infoarc com>]

On Friday, July 20, 2001 5:36 tigerblue wrote
>

> i have got some IIS4-and some IIS5-servers. I was checking the logfiles =
> to get a short info about the red-code worm. The IIS4-servers were =
> respondig to the get default.ida with a http 40x code, but the IIS5 on =
> w2k machines were all responding with an http 200 code. Hmmm strange =
> =B4cause all the servers have been patched in the last month against =
> this idq-vulnerability (MS01-033).
>
> I=B4m really a wondering, is it normal, that the w2k servers reponding =
> with an 200-Code or is mabe the patch not working at all... does anybody =
> had this effect ????

The 404 code will return only when you have ida mapping disabled. The patch
fixes the buffer overrun problem; it does not disable the mapping. To test
for whether the patch is applied, you should look at the file date of the
idq.dll; if it is 5/24/2001, the patch has been applied.


Steve Halford
shalford () infoarc com