Lee, to run ethereal on win32 you need to install winpcap also, ngsniff is a better alternative. cheers Ivan Coric IT Technical Security Officer Information Technology WorkCover Queensland Ph: (07) 30066414 Fax: (07) 30066424 Email: ivan.coricat_private >>> "Lee Evans" <leeat_private> 08/07/03 09:38am >>> Hi, Thanks to all who have replied - I wasn't aware ethereal was available as a win32 build - that will do perfectly. Regards Lee -- Lee Evans > -----Original Message----- > From: rocky_scottiat_private [mailto:rocky_scottiat_private] > Sent: 07 August 2003 00:34 > To: Lee Evans > Subject: Re: Secure.dcom.exe > > > Hi Lee, > > this one is great and its free... > > http://www.ethereal.com/ > > Let us know what you find... im interested. > > Rocky > > > > > "Lee Evans" > > <leeat_private To: > <incidentsat_private> > > cc: > > Subject: > Secure.dcom.exe > 08/06/2003 03:50 > > AM > > > > > > > > > > Hi All, > > I have found an executable called secure.dcom.exe when > looking around a customers server. They hadnt patched the > server above SP4 and I assume it has been exploited using the > RPC DCOM vulnerability. A serv-u ftp server has been > installed, but im still looking into it to see if I can spot > anything else. Netstat shows a bunch of outgoing connections > to 6667 - irc.homelien.no. Unfortunately there are no IDS or > other systems on this network segment I can use, so im > looking for someway to capture this traffic and hopefully > track down some more details on the irc traffic - if anyone > can recommend a good (preferably free) traffic sniffer I can > quickly install on the host locally (win2k sp4) to decode the > IRC traffic I would be grateful. > > The exe is available from > http://www.leeevans.org/secure.dcom.exe - if > anyone wants a > look. I'd be interested to know more about it, if anyone has > come across it before or can find out. > > Regards > Lee > -- > Lee Evans > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > > > > > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 17:46:04 PDT