Ethereal http://www.ethereal.com/ Paul Schmehl (paulsat_private) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Lee Evans [mailto:leeat_private] > Sent: Wednesday, August 06, 2003 5:50 AM > To: incidentsat_private > Subject: Secure.dcom.exe > > > Hi All, > > I have found an executable called secure.dcom.exe when > looking around a customers server. They hadnt patched the > server above SP4 and I assume it has been exploited using the > RPC DCOM vulnerability. A serv-u ftp server has been > installed, but im still looking into it to see if I can spot > anything else. Netstat shows a bunch of outgoing connections > to 6667 - irc.homelien.no. Unfortunately there are no IDS or > other systems on this network segment I can use, so im > looking for someway to capture this traffic and hopefully > track down some more details on the irc traffic - if anyone > can recommend a good (preferably free) traffic sniffer I can > quickly install on the host locally (win2k sp4) to decode the > IRC traffic I would be grateful. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:24:27 PDT