|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Secure.dcom.exe
From: Javier Liendo (javier
liendo.net)
Date: Wed Aug 06 2003 - 18:59:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hello
for a great sniffer i would recommend you
ethereal...take a look at http://www.ethereal.com/ ...
but first you'll have to install winpcap take a look
at http://winpcap.polito.it/
hope this helps
saludos
javier
--- Lee Evans <leeleeevans.org> wrote:
> Hi All,
>
> I have found an executable called secure.dcom.exe
> when looking around a
> customers server. They hadnt patched the server
> above SP4 and I assume it
> has been exploited using the RPC DCOM vulnerability.
> A serv-u ftp server has
> been installed, but im still looking into it to see
> if I can spot anything
> else. Netstat shows a bunch of outgoing connections
> to 6667 -
> irc.homelien.no. Unfortunately there are no IDS or
> other systems on this
> network segment I can use, so im looking for someway
> to capture this traffic
> and hopefully track down some more details on the
> irc traffic - if anyone
> can recommend a good (preferably free) traffic
> sniffer I can quickly install
> on the host locally (win2k sp4) to decode the IRC
> traffic I would be
> grateful.
>
> The exe is available from
> http://www.leeevans.org/secure.dcom.exe - if
> anyone wants a look. I'd be interested to know more
> about it, if anyone has
> come across it before or can find out.
>
> Regards
> Lee
> --
> Lee Evans
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]