RE: Full analysis of the .ida "Code Red" worm.

["Marc Maiffret" <marc () eeye com>]

its a destination port 80 not source

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

|-----Original Message-----
|From: corecode [mailto:simons () gmx net]
|Sent: Thursday, July 19, 2001 11:09 AM
|To: incidents () securityfocus com
|Subject: Re: Full analysis of the .ida "Code Red" worm.
|
|
|At 06:17 AM 7/19/2001, aleph1 () securityfocus com wrote:
|>----- Forwarded message from Marc Maiffret <marc () eeye com> -----
|>8. Infect a new host (send .ida worm to a "random" IP address on port 80).
|>
|>At this point the worm will resend itself to any IP addresses which it can
|>connect to port 80 on. It uses multiple send()'s so packet traffic may be
|>broken up. On a successful completion of send, it closes the
|socket and goes
|>to step 6... therefore repeating this loop infinitely.
|
|i wonder if these connects originate from port 80, too
|somewhere i read about a source port 80, but maybe i mistake this with the
|acknowledging "GET"
|
|greets,
|   corecode
|
|
|
|-------------------------------------------------------------------
|---------
|
|
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management
|and tracking system please see:
|
|http://aris.securityfocus.com
|
|



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com