Security Incidents mailing list archives
Re: Correction: Re: tcpdump traces of CodeRed (lab environment)
From: "L. Christopher Paul" <lcp () bofh sh>
Date: Fri, 27 Jul 2001 08:43:20 -0400 (EDT)
It appears than I was mistaken when I said earlier that I was wrong... Poor testing methodology led me to the quoted conclusion and incorrect results. Most of you will have seen the CERT advisory by now indiciating that worm wakes back up on the 1st. Yup. Sure does. Seems the first time I ran it I had c:\notworm in place. Basically ended up using a dirty petri dish and got bad results. Sometime tonight I hope to have the wakeup trace up at http://www.bofh.sh/CodeRed along with the others. Sorry ... if anyone needs me I'll be the one standing in the corner, --lcp On Thu, 26 Jul 2001, L. Christopher Paul wrote:
On the web site I indicated that the worm would wake up on the 1st and go back to work. After further testing and letting it roll-over and run for over 12 hours, it appears that I was incorrect and that once dormant, Code Red stays that way. (Which appears to be good news.) Kudos to Chris Rouland <CRouland () iss net> and Jon Larimer <JLarimer () iss net> for catching that. Thanks guys. Sorry for the confusion. --lcp
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- tcpdump traces of CodeRed (lab environment) lcp (Jul 25)
- Re: tcpdump traces of CodeRed (lab environment) Stuart Staniford (Jul 25)
- Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 26)
- Re: Correction: Re: tcpdump traces of CodeRed (lab environment) L. Christopher Paul (Jul 29)