i have written a codered catcher, that logs the accesses pretty well i think...
i know it's a little too late as the storm is over but somebody might want this

it accepts on port 80 and logs the whole traffic to a seperate file
if multiple equal (ie. same bytes) requests occur only the first is saved,
the remaining connections are just logged (to reduce redundancy).

as the worm contains self-modifying code i need to improve this a bit so
that these parts of the worm don't count.

have a look at http://www.eikon.tum.de/~simons/coderedcatch.c (will be
updated now and then)

cheerz
   corecode

• text/plain attachment: coderedcatch.c

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]