Security Incidents mailing list archives

tcpdump traces of CodeRed (lab environment)

From: lcp () bofh sh
Date: Wed, 25 Jul 2001 07:42:14 -0400 (EDT)


Per several requests, I have made these traces available at:

http://www.bofh.sh/CodeRed/index.html

These dumps show what the worm was trying to do when the box was infected
in each of its three stages (infect, DDos & sleep) as well as what happens
when the c:\notworm file existed on the infected server. (i.e. nothing.)

--lcp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

tcpdump traces of CodeRed (lab environment) lcp (Jul 25)
- Re: tcpdump traces of CodeRed (lab environment) Stuart Staniford (Jul 25)
- Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 26)
  - Re: Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 29)