MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????")

["Stephen W. Thompson" <thompson () pobox upenn edu>]

Let's be a little more specific.

Since the names of the various Code Reds have gotten confused, how
about using MD5 checksums?  I looked a bit, expecting people to
naturally share MD5's for each variant, but I've only seen one so far,
in a post by corecode (corecode () corecode ath cx) in the Incidents list
at securityfocus.com.

Lacking such a list, it's easy for us to confuse each other even more.
Look at these selections from a recent posting to snort-users, taken
out of context:

> What you forwarded looks just like what I've been
> calling CodeRedII.  It's the one with the backdoor.

> Nope. It's different. 
> Look at offset 0f0 & 1b0 and you will see some obvious
> differences in the payload.

> There are many other differences if you look closely.

Rather than that, we might just say, for example, "in
looking at Code Red md5=5edc2375e7aca69f8c1a8d77c4ffff18
I noticed ...".

Please point me to other, perhaps more complete lists such as this one.
"Ma" stands for which of my two machines I collected it on.  These 
were collected merely with

   nc -v -v -l -p 80 >catch80.`date "+%s"`

on a Linux box.  In those cases where I use the convention, the
filename has the time value (in the usual Un*x convention) when
the process started, and the timestamp is when I killed the
process.  The actual connection is presumably between those two
times.  This is local time, EDT ( -0400 ).

En paz,
Steve, security analyst


Code Red I, based on reported size WITHOUT headers:

                                                             Timestamp
Ma         MD5                      Filename          Size  when I killed nc
-----------------------------------------------------------------------------
AP 2e5e171cdc8bdf35cbd8b4b9376ce740 catch80.s         4039 12 Aug 02:06 -0400
PR 184a9d098041d390a0a4044c0581147b port80.997732416  4039 13 Aug 16:07 -0400
PR 3f9ee5e3edaea47ecbef302b125fe562 port80.997809456  4039 14 Aug 13:24 -0400

Code Red II, based on reported size WITHOUT headers:

                                                             Timestamp
Ma         MD5                      Filename          Size  when nc started
-----------------------------------------------------------------------------
AP 5edc2375e7aca69f8c1a8d77c4ffff18 catch80.997460492 3818 10 Aug 13:38 -0400


$ cmp -l port80.997732416 port80.997809456 
  3285 320  54
  3286 362  67
  3287  32  50
  3289 365 204
  3290  30  62
  3291 373   3
  3292 164 165
  3293 363 323
  3294 102  31
  3295 103 102
  3297   0 126
  3298   0  64
  3299   0  22
  3300   0 270
  3333  12 352
  3334  67  15
  3335 103 102


$ cmp -l port80.997732416 catch80.s        
  3285 320  54
  3286 362  67
  3287  32  50
  3289 365 204
  3290  30  62
  3291 373   3
  3292 164 165
  3293 363 223
  3294 102   7
  3295 103 102
  3298   0   1
  3333  12 362
  3334  67  41
  3335 103 323

$ cmp -l catch80.s port80.997809456 
  3293 223 323
  3294   7  31
  3297   0 126
  3298   1  64
  3299   0  22
  3300   0 270
  3333 362 352
  3334  41  15
  3335 323 102

-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson () isc upenn edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security () isc upenn edu, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users