Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Where to get " code red worm source" ?

From: Daniel Monjar <dam () orgtek com>
Date: Wed, 29 Aug 2001 15:07:42 -0400
I don't know about other systems but the attachment was deleted by my
mail system.  It triggered Sophos antivirus.

On 08/29 11:50 -0600, Phil Wood wrote:

On Wed, Aug 29, 2001 at 01:44:33PM +0900, ls1100 wrote:


I'd like to testing own my linux firewalls using iptables aganist Code-Red-worm

Anybody know, Where to get  " code red worm source" ?


What I do is just run:

  tcpdump -s 1518 -w codeRed -c 100 dst net mynet and dst port 80

In less than a second, I have 5 examples.  Each one has the following
"string" among other things:

GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0

Since 8/13 we have had rougly 25+ million codereds.  Today (last 11 hours and
39 minutes) we have had 878,589.

I just don't see how you could miss getting one for yourself. %^)

I extracted one of the "sessions" in binary which you could pipe to a web
server using nc.






Content-Description: cleaned of virus, delete me

This message has been cleaned of a virus.  Please contact the sender
and advise them to clean their system.




-- 
Daniel Monjar (mailto:dmonjar () orgtek com)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: