Re: tcpdump traces of CodeRed (lab environment)

From: Stuart Staniford (stuart@silicondefense.com)
Date: 07/25/01

Previous message: Tobias Diedrich: "weird sequence in packet filter log"
In reply to: lcp@bofh.sh: "tcpdump traces of CodeRed (lab environment)"
Next in thread: L. Christopher Paul: "Correction: Re: tcpdump traces of CodeRed (lab environment)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <3B5F01CB.E8A47463@silicondefense.com>
Date: Wed, 25 Jul 2001 10:28:43 -0700
From: Stuart Staniford <stuart@silicondefense.com>
To: lcp@bofh.sh
Subject: Re: tcpdump traces of CodeRed (lab environment)

Thanks for making these available.

Can you confirm whether this was version 1 or 2 of Code Red?

Stuart.

lcp@bofh.sh wrote:
>
> Per several requests, I have made these traces available at:
>
> http://www.bofh.sh/CodeRed/index.html
>
> These dumps show what the worm was trying to do when the box was infected
> in each of its three stages (infect, DDos & sleep) as well as what happens
> when the c:\notworm file existed on the infected server. (i.e. nothing.)
>
> --lcp
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuart@silicondefense.com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX)

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Tobias Diedrich: "weird sequence in packet filter log"
In reply to: lcp@bofh.sh: "tcpdump traces of CodeRed (lab environment)"
Next in thread: L. Christopher Paul: "Correction: Re: tcpdump traces of CodeRed (lab environment)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Correction: Re: tcpdump traces of CodeRed (lab environment)
... Subject: Correction: Re: tcpdump traces of CodeRed ... On the web site I indicated that the worm would wake up on the 1st and go ... > in each of its three stages (infect, DDos & sleep) as well as what happens ...
(Incidents)
tcpdump traces of CodeRed (lab environment)
... tcpdump traces of CodeRed ... These dumps show what the worm was trying to do when the box was infected ... in each of its three stages (infect, DDos & sleep) as well as what happens ...
(Incidents)