its a destination port 80 not source Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: corecode [mailto:simonsat_private] |Sent: Thursday, July 19, 2001 11:09 AM |To: incidentsat_private |Subject: Re: Full analysis of the .ida "Code Red" worm. | | |At 06:17 AM 7/19/2001, aleph1at_private wrote: |>----- Forwarded message from Marc Maiffret <marcat_private> ----- |>8. Infect a new host (send .ida worm to a "random" IP address on port 80). |> |>At this point the worm will resend itself to any IP addresses which it can |>connect to port 80 on. It uses multiple send()'s so packet traffic may be |>broken up. On a successful completion of send, it closes the |socket and goes |>to step 6... therefore repeating this loop infinitely. | |i wonder if these connects originate from port 80, too |somewhere i read about a source port 80, but maybe i mistake this with the |acknowledging "GET" | |greets, | corecode | | | |------------------------------------------------------------------- |--------- | | |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: | |http://aris.securityfocus.com | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:03:09 PDT