|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Secure.dcom.exe
From: Schmehl, Paul L (pauls
utdallas.edu)
Date: Wed Aug 06 2003 - 18:29:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ethereal
http://www.ethereal.com/
Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: Lee Evans [mailto:leeleeevans.org]
> Sent: Wednesday, August 06, 2003 5:50 AM
> To: incidentssecurityfocus.com
> Subject: Secure.dcom.exe
>
>
> Hi All,
>
> I have found an executable called secure.dcom.exe when
> looking around a customers server. They hadnt patched the
> server above SP4 and I assume it has been exploited using the
> RPC DCOM vulnerability. A serv-u ftp server has been
> installed, but im still looking into it to see if I can spot
> anything else. Netstat shows a bunch of outgoing connections
> to 6667 - irc.homelien.no. Unfortunately there are no IDS or
> other systems on this network segment I can use, so im
> looking for someway to capture this traffic and hopefully
> track down some more details on the irc traffic - if anyone
> can recommend a good (preferably free) traffic sniffer I can
> quickly install on the host locally (win2k sp4) to decode the
> IRC traffic I would be grateful.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]