tcpdump traces of CodeRed (lab environment)

From: lcpat_private
Date: Wed Jul 25 2001 - 04:42:14 PDT

Next message: Keith.Morgan: "Telnet scans"

Previous message: Lee Evans: "IIS Directory traversal vulnerability"
Next in thread: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
Reply: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
Reply: L. Christopher Paul: "Correction: Re: tcpdump traces of CodeRed (lab environment)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Per several requests, I have made these traces available at:

http://www.bofh.sh/CodeRed/index.html

These dumps show what the worm was trying to do when the box was infected
in each of its three stages (infect, DDos & sleep) as well as what happens
when the c:\notworm file existed on the infected server. (i.e. nothing.)

--lcp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Keith.Morgan: "Telnet scans"
Previous message: Lee Evans: "IIS Directory traversal vulnerability"
Next in thread: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
Reply: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
Reply: L. Christopher Paul: "Correction: Re: tcpdump traces of CodeRed (lab environment)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:50:21 PDT