Re: tcpdump traces of CodeRed (lab environment)

From: Stuart Staniford (stuartat_private)
Date: Wed Jul 25 2001 - 10:28:43 PDT

  • Next message: Joe Smith: "Re: IIS Directory traversal vulnerability"

    Thanks for making these available.  
    
    Can you confirm whether this was version 1 or 2 of Code Red?
    
    Stuart.
    
    lcpat_private wrote:
    > 
    > Per several requests, I have made these traces available at:
    > 
    > http://www.bofh.sh/CodeRed/index.html
    > 
    > These dumps show what the worm was trying to do when the box was infected
    > in each of its three stages (infect, DDos & sleep) as well as what happens
    > when the c:\notworm file existed on the infected server. (i.e. nothing.)
    > 
    > --lcp
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    -- 
    Stuart Staniford     ---     President     ---     Silicon Defense
             ** Silicon Defense: Technical Support for Snort **
    mailto:stuartat_private  http://www.silicondefense.com/
    (707) 445-4355 x 16                           (707) 445-4222 (FAX)
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 11:58:16 PDT