Correction: Re: tcpdump traces of CodeRed (lab environment)

["L. Christopher Paul" <lcp () bofh sh>]

On the web site I indicated that the worm would wake up on the 1st and go
back to work.

After further testing and letting it roll-over and run for over 12 hours,
it appears that I was incorrect and that once dormant, Code Red stays that
way. (Which appears to be good news.)

Kudos to Chris Rouland <CRouland () iss net> and Jon Larimer
<JLarimer () iss net> for catching that. Thanks guys.

Sorry for the confusion.

--lcp

On Wed, 25 Jul 2001 lcp () bofh sh wrote:

> Per several requests, I have made these traces available at:
>
> http://www.bofh.sh/CodeRed/index.html
>
> These dumps show what the worm was trying to do when the box was infected
> in each of its three stages (infect, DDos & sleep) as well as what happens
> when the c:\notworm file existed on the infected server. (i.e. nothing.)
>
> --lcp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com