Snort mailing list archives
RE: A new variation of CodeRed???????????
From: "John Davey" <john () davey net au>
Date: Fri, 17 Aug 2001 02:13:15 +0930
What you forwarded looks just like what I've been calling CodeRedII. It's the one with the backdoor. The original CodeRed used "N" for the filler instead of "X". I forget where I originally read about it, probably BugTraq. ;-)
Nope. It's different. Look at offset 0f0 & 1b0 and you will see some obvious differences in the payload. Also note the string at 1b4-> Client-ip: 64.76.100.155 (The src ip in the packet header was 207.42.183.71) This also does not happen in CodeRedII. Another thing of note is the PSH flag is set which only occurs in CodeRed v1 & v2 not CodeRedII There are many other differences if you look closely. Regards John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)