Snort mailing list archives

RE: A new variation of CodeRed???????????

From: "John Davey" <john () davey net au>
Date: Fri, 17 Aug 2001 02:13:15 +0930

What you forwarded looks just like what I've been
calling CodeRedII.  It's the one with the backdoor.
The original CodeRed used "N" for the filler instead
of "X".  I forget where I originally read about it,
probably BugTraq.  ;-)


Nope. It's different. 
Look at offset 0f0 & 1b0 and you will see some obvious
differences in the payload.

Also note the string at 1b4-> Client-ip: 64.76.100.155
(The src ip in the packet header was 207.42.183.71)
This also does not happen in CodeRedII.
 
Another thing of note is the PSH flag is set which 
only occurs in CodeRed v1 & v2  not CodeRedII

There are many other differences if you look closely.

Regards John




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
  - RE: A new variation of CodeRed??????????? John Davey (Aug 16)
    - MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)