codered/general simple honeypot

From: corecode (corecodeat_private)
Date: Wed Aug 01 2001 - 19:04:51 PDT

Next message: Kee Hinckley: "Code Red - same IPs or different?"

Previous message: Brian Cervenka: "Code Red in the media"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i have written a codered catcher, that logs the accesses pretty well i think...
i know it's a little too late as the storm is over but somebody might want this

it accepts on port 80 and logs the whole traffic to a seperate file
if multiple equal (ie. same bytes) requests occur only the first is saved, 
the remaining connections are just logged (to reduce redundancy).

as the worm contains self-modifying code i need to improve this a bit so 
that these parts of the worm don't count.

have a look at http://www.eikon.tum.de/~simons/coderedcatch.c (will be 
updated now and then)

cheerz
   corecode

text/plain attachment: coderedcatch.c

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Kee Hinckley: "Code Red - same IPs or different?"
Previous message: Brian Cervenka: "Code Red in the media"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 21:07:06 PDT