Full Disclosure: Re: Re: Re: DoomJuice.A, Mydoom.A source code

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Re: Re: DoomJuice.A, Mydoom.A source code

From: "Filipe A." <incognito () patria ath cx>
Date: Wed, 11 Feb 2004 04:40:11 +0000 (WET)


On Tue, 10 Feb 2004, Riad S. Wahby wrote:

As for the code, have you tried catching the bug with a honeypot? I
heard of people using netcat listening on port 3127 to catch the bug...


To be honest, I didn't expect this to work, but before I left my
office last night I decided I may as well try it.  To my great
surprise, I came in this morning and found that I had "caught one"
within minutes of opening the port.  Quite im(de?)pressive.



 I've done that and after 12 hours I had about 27 files. 8 of them
were unique both in size and content. I've identified the one that drops
the .tbz with source code but that leaves me with another 7 different
files. Question is, how many things are out there piggybacking on
mydoom's backdoor? And now the source code is public many more
will emerge in the next few days...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: DoomJuice.A, Mydoom.A source code, (continued)
- RE: Re: DoomJuice.A, Mydoom.A source code Nick Jacobsen (Feb 10)