Hello, It could be related to the Incident.org announcement regarding an sdbot variant installed over the RPC DCOM vulnerability: http://isc.sans.org/diary.html?date=2003-08-05 Regards, G -----Original Message----- From: Lee Evans [mailto:leeat_private] Sent: Wednesday, August 06, 2003 5:50 AM To: incidentsat_private Subject: Secure.dcom.exe Hi All, I have found an executable called secure.dcom.exe when looking around a customers server. They hadnt patched the server above SP4 and I assume it has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has been installed, but im still looking into it to see if I can spot anything else. Netstat shows a bunch of outgoing connections to 6667 - irc.homelien.no. Unfortunately there are no IDS or other systems on this network segment I can use, so im looking for someway to capture this traffic and hopefully track down some more details on the irc traffic - if anyone can recommend a good (preferably free) traffic sniffer I can quickly install on the host locally (win2k sp4) to decode the IRC traffic I would be grateful. The exe is available from http://www.leeevans.org/secure.dcom.exe - if anyone wants a look. I'd be interested to know more about it, if anyone has come across it before or can find out. Regards Lee -- Lee Evans --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:27:53 PDT