Security Incidents mailing list archives
Re: tcpdump traces of CodeRed (lab environment)
From: Stuart Staniford <stuart () silicondefense com>
Date: Wed, 25 Jul 2001 10:28:43 -0700
Thanks for making these available. Can you confirm whether this was version 1 or 2 of Code Red? Stuart. lcp () bofh sh wrote:
Per several requests, I have made these traces available at: http://www.bofh.sh/CodeRed/index.html These dumps show what the worm was trying to do when the box was infected in each of its three stages (infect, DDos & sleep) as well as what happens when the c:\notworm file existed on the infected server. (i.e. nothing.) --lcp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuart () silicondefense com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- tcpdump traces of CodeRed (lab environment) lcp (Jul 25)
- Re: tcpdump traces of CodeRed (lab environment) Stuart Staniford (Jul 25)
- Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 26)
- Re: Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 29)