Security Incidents mailing list archives
RE: Full analysis of the .ida "Code Red" worm.
From: "Marc Maiffret" <marc () eeye com>
Date: Thu, 19 Jul 2001 16:14:15 -0700
its a destination port 80 not source Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: corecode [mailto:simons () gmx net] |Sent: Thursday, July 19, 2001 11:09 AM |To: incidents () securityfocus com |Subject: Re: Full analysis of the .ida "Code Red" worm. | | |At 06:17 AM 7/19/2001, aleph1 () securityfocus com wrote: |>----- Forwarded message from Marc Maiffret <marc () eeye com> ----- |>8. Infect a new host (send .ida worm to a "random" IP address on port 80). |> |>At this point the worm will resend itself to any IP addresses which it can |>connect to port 80 on. It uses multiple send()'s so packet traffic may be |>broken up. On a successful completion of send, it closes the |socket and goes |>to step 6... therefore repeating this loop infinitely. | |i wonder if these connects originate from port 80, too |somewhere i read about a source port 80, but maybe i mistake this with the |acknowledging "GET" | |greets, | corecode | | | |------------------------------------------------------------------- |--------- | | |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: | |http://aris.securityfocus.com | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Full analysis of the .ida "Code Red" worm. aleph1 (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. corecode (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. corecode (Jul 19)