Hi All, I have found an executable called secure.dcom.exe when looking around a customers server. They hadnt patched the server above SP4 and I assume it has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has been installed, but im still looking into it to see if I can spot anything else. Netstat shows a bunch of outgoing connections to 6667 - irc.homelien.no. Unfortunately there are no IDS or other systems on this network segment I can use, so im looking for someway to capture this traffic and hopefully track down some more details on the irc traffic - if anyone can recommend a good (preferably free) traffic sniffer I can quickly install on the host locally (win2k sp4) to decode the IRC traffic I would be grateful. The exe is available from http://www.leeevans.org/secure.dcom.exe - if anyone wants a look. I'd be interested to know more about it, if anyone has come across it before or can find out. Regards Lee -- Lee Evans --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 16:21:27 PDT