[Dshield] CodeRed backdoor ports

Johannes B. Ullrich jullrich at euclidian.com
Fri Aug 10 14:29:23 GMT 2001

> Does anyone know what ports the backdoors that the newer CodeRed's are
> leaving listen on?

The back door uses IIS. So it will not listen on its own port. The
backdoor is implemented by copying 'cmd.exe' into the script directory, so
you can send commands to cmd.exe using regular web requests like

(there may be a few more slashes required)

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

More information about the list mailing list