Snort mailing list archives
RE: A new variation of CodeRed???????????
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 16 Aug 2001 15:08:46 -0500 (CDT)
"John Davey" <john () davey net au> wrote in response to me:
What you forwarded looks just like what I've been calling CodeRedII.Nope. It's different. Look at offset 0f0 & 1b0 and you will see some obvious differences in the payload.
Then Ryan Russell <ryan () securityfocus com> wrote:
CRv1 and CRv2 have portions in them that are variable (self-modifying code, for example.) If you exclude those small address ranges from the sum, it will work. Every copy of CodeRed II is identical.
Which leads me to ask ( I genuinely don't know .... ) how significant the differences John pointed out actually are. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)