Re: RED-CODE WORM PATCH possibly not working ????

From: fyom (fyom@symmsys.com)
Date: 07/21/01


Message-ID: <00f601c11169$ccc11a10$bd096fa0@SYMMETRY.SYMMSYS.COM>
From: "fyom" <fyom@symmsys.com>
To: "tigerblue" <tigerblue@puzzleapuma.de>, <bugtraq@securityfocus.com>, <incidents@securityfocus.com>
Subject: Re: RED-CODE WORM PATCH possibly not working ????
Date: Fri, 20 Jul 2001 18:17:44 -0400

Hi,

I have the exact same issue for IIS5. I installed Q300972 last month, but
saw the 200 http result codes for the .ida attacks. I re-ran my install of
Q300972, but I still see the 200 result codes.

I want to hedge this by saying that it does not appear that my IIS5 servers
have been penetrated. The patch seems to be working but I get that
unsettling 200 http result code.

-Francis

----- Original Message -----
From: "tigerblue" <tigerblue@puzzleapuma.de>
To: <bugtraq@securityfocus.com>
Sent: Friday, July 20, 2001 8:36 AM
Subject: RED-CODE WORM PATCH possibly not working ????

>
>
> Hi,
>
> i have got some IIS4-and some IIS5-servers. I was checking the logfiles =
> to get a short info about the red-code worm. The IIS4-servers were =
> respondig to the get default.ida with a http 40x code, but the IIS5 on =
> w2k machines were all responding with an http 200 code. Hmmm strange =
> =B4cause all the servers have been patched in the last month against =
> this idq-vulnerability (MS01-033).
>
> I=B4m really a wondering, is it normal, that the w2k servers reponding =
> with an 200-Code or is mabe the patch not working at all... does anybody =
> had this effect ????
>
> best regards
>
> tigerblue
>
> MCSE systemadministration
>
>
>
>
>

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com