Re: Code Red packet dumps.

From: L. Christopher Paul (cpaulat_private)
Date: Mon Jul 23 2001 - 11:03:38 PDT

  • Next message: Nick FitzGerald: "Re: code red - some questions"

    Yotam,
    
    At home, I have the output from a lab machine in each of the three phases
    when infected. Infect mode, DoS Mode and Sleep Mode; I think I might even
    have one with c:\notworm in place.
    
    These are not an "In the wild" dump and only show what the worm wanted to
    do, not necessarily what it did for real. (They show the outgoing SYN, but
    no responses.)
    
    If that would be of use, I can ship them off this evening.
    
    L. Christopher Paul
    Christopher.Paulat_private
    lcpat_private
    
    
    On Mon, 23 Jul 2001, Yotam Rubin wrote:
    
    > Hi,
    > 
    > 	Does anyone here have extensive packet dumps of the behavior of 
    > a host after it has been infected with the Code Red worm? A day's worth
    > of packets of an infected host would be great, but I welcome anything.
    > 
    > 	Regards, Yotam Rubin
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 13:27:37 PDT