Lee Evans <mailto:leeat_private> scribbled on Wednesday, August 06, 2003 12:50 PM: > I have found an executable called secure.dcom.exe when looking around > a customers server. They hadnt patched the server above SP4 and I > assume it has been exploited using the RPC DCOM vulnerability. A > serv-u ftp server has been installed, but im still looking into it to > see if I can spot anything else. Netstat shows a bunch of outgoing > connections to 6667 - irc.homelien.no. Unfortunately there are no IDS > or other systems on this network segment I can use, so im looking for > someway to capture this traffic and hopefully track down some more > details on the irc traffic - if anyone can recommend a good > (preferably free) traffic sniffer I can quickly install on the host > locally (win2k sp4) to decode the IRC traffic I would be grateful. TCPDump is the "de facto" pakket analyser/capture tool, there's a windows port available [1]. If you feel more comfortable using a GUI, you can grab Ethereal [2]. Heck, there's even a Win32 port of dsniff available [3]. All these tools are, as far as I know, freely available. [1] http://windump.polito.it/ [2] http://www.ethereal.com/ [3] http://www.datanerds.net/~mike/dsniff.html Cheers, Steve -- echo steve.incunabula@be | tr @. .@ http://www.incunabula.be/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:30:05 PDT