Hi, Thanks to all who have replied - I wasn't aware ethereal was available as a win32 build - that will do perfectly. Regards Lee -- Lee Evans > -----Original Message----- > From: rocky_scottiat_private [mailto:rocky_scottiat_private] > Sent: 07 August 2003 00:34 > To: Lee Evans > Subject: Re: Secure.dcom.exe > > > Hi Lee, > > this one is great and its free... > > http://www.ethereal.com/ > > Let us know what you find... im interested. > > Rocky > > > > > "Lee Evans" > > <leeat_private To: > <incidentsat_private> > > cc: > > Subject: > Secure.dcom.exe > 08/06/2003 03:50 > > AM > > > > > > > > > > Hi All, > > I have found an executable called secure.dcom.exe when > looking around a customers server. They hadnt patched the > server above SP4 and I assume it has been exploited using the > RPC DCOM vulnerability. A serv-u ftp server has been > installed, but im still looking into it to see if I can spot > anything else. Netstat shows a bunch of outgoing connections > to 6667 - irc.homelien.no. Unfortunately there are no IDS or > other systems on this network segment I can use, so im > looking for someway to capture this traffic and hopefully > track down some more details on the irc traffic - if anyone > can recommend a good (preferably free) traffic sniffer I can > quickly install on the host locally (win2k sp4) to decode the > IRC traffic I would be grateful. > > The exe is available from > http://www.leeevans.org/secure.dcom.exe - if > anyone wants a > look. I'd be interested to know more about it, if anyone has > come across it before or can find out. > > Regards > Lee > -- > Lee Evans > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > > > > > > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:25:46 PDT