Correction: Re: tcpdump traces of CodeRed (lab environment)

From: L. Christopher Paul (lcpat_private)
Date: Thu Jul 26 2001 - 04:56:27 PDT

  • Next message: FSS: "DNS Poisoning?"

    On the web site I indicated that the worm would wake up on the 1st and go
    back to work.
    
    After further testing and letting it roll-over and run for over 12 hours,
    it appears that I was incorrect and that once dormant, Code Red stays that
    way. (Which appears to be good news.)
    
    Kudos to Chris Rouland <CRoulandat_private> and Jon Larimer
    <JLarimerat_private> for catching that. Thanks guys.
    
    Sorry for the confusion.
    
    --lcp
    
    On Wed, 25 Jul 2001 lcpat_private wrote:
    
    > 
    > Per several requests, I have made these traces available at:
    > 
    > http://www.bofh.sh/CodeRed/index.html
    > 
    > These dumps show what the worm was trying to do when the box was infected
    > in each of its three stages (infect, DDos & sleep) as well as what happens
    > when the c:\notworm file existed on the infected server. (i.e. nothing.)
    > 
    > --lcp
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:06:32 PDT