I previously posted (and hope a moderator dropped) an incorrect analysis of the rules for scanning in Code Red II. The target address is a blend of the current IP address and a random number, with the random factor being dependeng on yet another random number. There appear to be eight ways this can go: 1 out of 8: scan any IP address 4 out of 8: scan within the same class A (192.X.Y.Z) 3 out of 8: scan within the same class B (192.168.X.Y) localhost, multicast, and the local IP are all ignored. Actual algorithm on my web site. Steve, who's tired, but not as tired as Ryan and Marc :-) --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steveat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 09:29:07 PDT