Re: Code Red packet dumps.

["L. Christopher Paul" <cpaul () bofh sh>]

Yotam,

At home, I have the output from a lab machine in each of the three phases
when infected. Infect mode, DoS Mode and Sleep Mode; I think I might even
have one with c:\notworm in place.

These are not an "In the wild" dump and only show what the worm wanted to
do, not necessarily what it did for real. (They show the outgoing SYN, but
no responses.)

If that would be of use, I can ship them off this evening.

L. Christopher Paul
Christopher.Paul () DedicatedTech com
lcp () bofh sh


On Mon, 23 Jul 2001, Yotam Rubin wrote:

> Hi,
>
>       Does anyone here have extensive packet dumps of the behavior of 
> a host after it has been infected with the Code Red worm? A day's worth
> of packets of an infected host would be great, but I welcome anything.
>
>       Regards, Yotam Rubin
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com