Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump traces of CodeRed (lab environment)

From: Stuart Staniford <stuart () silicondefense com>
Date: Wed, 25 Jul 2001 10:28:43 -0700
Thanks for making these available.  

Can you confirm whether this was version 1 or 2 of Code Red?

Stuart.

lcp () bofh sh wrote:


Per several requests, I have made these traces available at:

http://www.bofh.sh/CodeRed/index.html

These dumps show what the worm was trying to do when the box was infected
in each of its three stages (infect, DDos & sleep) as well as what happens
when the c:\notworm file existed on the infected server. (i.e. nothing.)

--lcp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: