Snort mailing list archives
MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????")
From: "Stephen W. Thompson" <thompson () pobox upenn edu>
Date: Thu, 16 Aug 2001 13:15:03 -0400 (EDT)
Let's be a little more specific. Since the names of the various Code Reds have gotten confused, how about using MD5 checksums? I looked a bit, expecting people to naturally share MD5's for each variant, but I've only seen one so far, in a post by corecode (corecode () corecode ath cx) in the Incidents list at securityfocus.com. Lacking such a list, it's easy for us to confuse each other even more. Look at these selections from a recent posting to snort-users, taken out of context:
What you forwarded looks just like what I've been calling CodeRedII. It's the one with the backdoor.
Nope. It's different. Look at offset 0f0 & 1b0 and you will see some obvious differences in the payload.
There are many other differences if you look closely.
Rather than that, we might just say, for example, "in looking at Code Red md5=5edc2375e7aca69f8c1a8d77c4ffff18 I noticed ...". Please point me to other, perhaps more complete lists such as this one. "Ma" stands for which of my two machines I collected it on. These were collected merely with nc -v -v -l -p 80 >catch80.`date "+%s"` on a Linux box. In those cases where I use the convention, the filename has the time value (in the usual Un*x convention) when the process started, and the timestamp is when I killed the process. The actual connection is presumably between those two times. This is local time, EDT ( -0400 ). En paz, Steve, security analyst Code Red I, based on reported size WITHOUT headers: Timestamp Ma MD5 Filename Size when I killed nc ----------------------------------------------------------------------------- AP 2e5e171cdc8bdf35cbd8b4b9376ce740 catch80.s 4039 12 Aug 02:06 -0400 PR 184a9d098041d390a0a4044c0581147b port80.997732416 4039 13 Aug 16:07 -0400 PR 3f9ee5e3edaea47ecbef302b125fe562 port80.997809456 4039 14 Aug 13:24 -0400 Code Red II, based on reported size WITHOUT headers: Timestamp Ma MD5 Filename Size when nc started ----------------------------------------------------------------------------- AP 5edc2375e7aca69f8c1a8d77c4ffff18 catch80.997460492 3818 10 Aug 13:38 -0400 $ cmp -l port80.997732416 port80.997809456 3285 320 54 3286 362 67 3287 32 50 3289 365 204 3290 30 62 3291 373 3 3292 164 165 3293 363 323 3294 102 31 3295 103 102 3297 0 126 3298 0 64 3299 0 22 3300 0 270 3333 12 352 3334 67 15 3335 103 102 $ cmp -l port80.997732416 catch80.s 3285 320 54 3286 362 67 3287 32 50 3289 365 204 3290 30 62 3291 373 3 3292 164 165 3293 363 223 3294 102 7 3295 103 102 3298 0 1 3333 12 362 3334 67 41 3335 103 323 $ cmp -l catch80.s port80.997809456 3293 223 323 3294 7 31 3297 0 126 3298 1 64 3299 0 22 3300 0 270 3333 362 352 3334 41 15 3335 323 102 -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson () isc upenn edu URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use security () isc upenn edu, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? John Davey (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)