Re: Correction: Re: tcpdump traces of CodeRed (lab environment)

From: L. Christopher Paul (lcpat_private)
Date: Fri Jul 27 2001 - 05:43:20 PDT

  • Next message: Tom Laermans: "Port 119 Scans"

    It appears than I was mistaken when I said earlier that I was wrong...
    
    Poor testing methodology led me to the quoted conclusion and incorrect
    results.
    
    Most of you will have seen the CERT advisory by now indiciating that worm
    wakes back up on the 1st.
    
    Yup. Sure does. Seems the first time I ran it I had c:\notworm in
    place. Basically ended up using a dirty petri dish and got bad results.
    
    Sometime tonight I hope to have the wakeup trace up at
    http://www.bofh.sh/CodeRed along with the others.
    
    Sorry ... if anyone needs me I'll be the one standing in the corner,
    
    --lcp
    
    On Thu, 26 Jul 2001, L. Christopher Paul wrote:
    
    > 
    > On the web site I indicated that the worm would wake up on the 1st and go
    > back to work.
    > 
    > After further testing and letting it roll-over and run for over 12 hours,
    > it appears that I was incorrect and that once dormant, Code Red stays that
    > way. (Which appears to be good news.)
    > 
    > Kudos to Chris Rouland <CRoulandat_private> and Jon Larimer
    > <JLarimerat_private> for catching that. Thanks guys.
    > 
    > Sorry for the confusion.
    > 
    > --lcp
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:27:42 PDT