I have a Windows NT 4.0 machine that is reporting false positives for this test and for ms03-026.
This machine did have the 823980 patch on it this morning, I then took that off and ended up reinstalling the entire machine to make it work again (thanks MS). I scanned it with neither patch applied and msrpc_dcom2.nasl reports that both are missing (correctly). I then applied the latest patch since 823980 is not on the Windows Update list any more. It now reports that both ms03-026 and ms03-039 are not applied even though ms03-039 is. I ran the test plugin against it and it reports error1=0000000000 error2=0000000000 error3=0200000000 error4=2000000003 Success msrpc_dcom.nasl also fires and reports this machine as vulnerable with the ms03-039 patch on. -----Original Message----- From: John Kapp [mailto:[EMAIL PROTECTED] Sent: 11 September 2003 13:11 To: Renaud Deraison; [EMAIL PROTECTED] Subject: Re: MS RPC Patch (Mis-)Reporting > Could you run the attached plugin in command-line mode and tell me > what it outputs ? (nasl -t target msrpc_dcom2.nasl). In the output below, test.nasl is the plugin that you sent in your e-mail. msrpc_dcom2.nasl is the production plugin. bluepill:/lib/nessus/plugins# nasl -t 10.129.53.61 test.nasl error1=5401048000 error2=0240008000 error3=0200000000 error4=2000000003 [19417] plug_set_key:send(0)['1 SMB/KB824146=1; '](0 out of 18): Socket operation on non-socket bluepill:/lib/nessus/plugins# nasl -t 10.129.53.61 msrpc_dcom2.nasl [19418] plug_set_key:send(0)['1 SMB/KB824146=1; '](0 out of 18): Socket operation on non-socket bluepill:/lib/nessus/plugins# nasl -t 10.129.53.61 msrpc_dcom.nasl Success C:\Program Files\KB824146Scan>KB824146Scan.exe 10.129.53.61 Microsoft (R) KB824146 Scanner Version 1.00.0249 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved. <+> Starting scan (timeout = 5000 ms) Checking 10.129.53.61 10.129.53.61: patched with KB824146 and KB823980 <-> Scan completed > What operating system is running on the hosts which are supposed to be > patched ? I'm about 90% certain that they are XP Pro SP1. I can try to get better info if it's important. Regards, John
