Hi Lee, ngsniff from http://www.ngsec.com/ngresearch/ngtools/ no drivers required. cheers Ivan Coric IT Technical Security Officer Information Technology WorkCover Queensland Ph: (07) 30066414 Fax: (07) 30066424 Email: ivan.coricat_private >>> "Lee Evans" <leeat_private> 08/06/03 08:50pm >>> Hi All, I have found an executable called secure.dcom.exe when looking around a customers server. They hadnt patched the server above SP4 and I assume it has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has been installed, but im still looking into it to see if I can spot anything else. Netstat shows a bunch of outgoing connections to 6667 - irc.homelien.no. Unfortunately there are no IDS or other systems on this network segment I can use, so im looking for someway to capture this traffic and hopefully track down some more details on the irc traffic - if anyone can recommend a good (preferably free) traffic sniffer I can quickly install on the host locally (win2k sp4) to decode the IRC traffic I would be grateful. The exe is available from http://www.leeevans.org/secure.dcom.exe - if anyone wants a look. I'd be interested to know more about it, if anyone has come across it before or can find out. Regards Lee -- Lee Evans --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:31:12 PDT