Security Incidents mailing list archives
Correction: Re: tcpdump traces of CodeRed (lab environment)
From: "L. Christopher Paul" <lcp () bofh sh>
Date: Thu, 26 Jul 2001 07:56:27 -0400 (EDT)
On the web site I indicated that the worm would wake up on the 1st and go back to work. After further testing and letting it roll-over and run for over 12 hours, it appears that I was incorrect and that once dormant, Code Red stays that way. (Which appears to be good news.) Kudos to Chris Rouland <CRouland () iss net> and Jon Larimer <JLarimer () iss net> for catching that. Thanks guys. Sorry for the confusion. --lcp On Wed, 25 Jul 2001 lcp () bofh sh wrote:
Per several requests, I have made these traces available at: http://www.bofh.sh/CodeRed/index.html These dumps show what the worm was trying to do when the box was infected in each of its three stages (infect, DDos & sleep) as well as what happens when the c:\notworm file existed on the infected server. (i.e. nothing.) --lcp
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- tcpdump traces of CodeRed (lab environment) lcp (Jul 25)
- Re: tcpdump traces of CodeRed (lab environment) Stuart Staniford (Jul 25)
- Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 26)
- Re: Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 29)