[Full-Disclosure] Re: Secure.dcom.exe

From: opticfiber (opticfiberat_private)
Date: Fri Aug 08 2003 - 12:15:03 PDT
Next message: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Previous message: opticfiber: "[Full-Disclosure] RE: Secure.dcom.exe"
In reply to: opticfiber: "[Full-Disclosure] RE: Secure.dcom.exe"
Next in thread: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Next in thread: Harlan Carvey: "Re: Secure.dcom.exe"
Reply: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Reply: morning_wood: "Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I did a search for Optix Pro and turned out a site that develops the 
software. From what I can tell it's very similar to software based 
trojans like bo2k, netbus ect...A detailed explanation of the trojan can 
be found at this url 
http://www.esecurityplanet.com/alerts/article.php/2197521 . The 
devlopers site of the trojan software can be found here 
http://www.evileyesoftware.com/ees/index.shtml .

With Regard,
William Reyor
http://www.topsight.net


opticfiber wrote:

> On a chance I connected to the irc server mentioned.(irc.homelien.no). 
> Did a channel search for "rpc" and found a channel called "#rpcfucked" 
> with a contant stream of clients connecting and disconnecting. Below 
> is a transcript of the channel for about five minutes or so.
>
>
> Start of #rpcfucked buffer: Fri Aug 08 14:58:58 2003
> [14:55] *** Now talking in #rpcfucked
>   .---------------.---------------.---------------.---------------.
>   | \BILL         | O86690388     | 
> @O41147358    |               |
>   '---------------'---------------'---------------'---------------'
> [12X] [o: 121][v: 120][n: 122][t: 123][m: 12+tn]
> [14:55] *** Quits: O86690388 (Quit: Bye!)
> [14:55] *** Joins: O39614024 (~O39614024@dsl-082-082-157-243.arcor-ip.net
> )
> [14:55] *** Joins: O53226916 (~O53226916@dsl-213-023-244-152.arcor-ip.net
> )
> [14:55] *** Joins: O2193002 (Reggie26@xdsl-pool-66-186-232-164.eatel.net)
> [14:55] <O39614024> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[82-82-15
>  7-243][169-254-138-152]}{Computer_Name:_THOMAS}{Current_User_Name:_ZEUS
>  }{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}
>  {Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_
>  Service_Pack_1}{Webcam:_No}
> [14:55] <O53226916> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-1][213-23-244-152]}{Computer_Name:_JAJA1}{Current_User_Name:_Chef}{Id
>  entification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Ins
>  talled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Serv
>  ice_Pack_1}{Webcam:_No}
> [14:55] <O2193002> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-23
>  2-164]}{Computer_Name:_YOUR-EZ9QS4OHFG}{Current_User_Name:_Reggie}{Iden
>  tification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Insta
>  lled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Servic
>  e_Pack_1}{Webcam:_Yes}
> [14:55] *** Joins: O57406008 (~O57406008@dsl-082-082-158-031.arcor-ip.net
> )
> [14:55] <O57406008> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-2][82-82-158-31]}{Computer_Name:_WIECZOREK}{Current_User_Name:_F.Wiec
>  zorek}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_
>  3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_
>  2600_Service_Pack_1}{Webcam:_No}
> [14:55] *** Quits: O39614024 (Quit: Bye!)
> [14:55] *** Quits: O53226916 (Quit: Bye!)
> [14:55] *** Quits: O2193002 (Quit: Bye!)
> [14:55] *** Quits: O57406008 (Quit: Bye!)
> [14:55] *** Joins: O32784802 (obrdj189@xdsl-pool-66-186-233-91.eatel.net)
> [14:55] *** Joins: O25926540 (~O25926540@dsl-082-082-156-047.arcor-ip.net
> )
> [14:55] *** Joins: O96762633 (~O96762633@xdsl-pool-66-186-231-110.eatel.n
> et)
> [14:55] <O25926540> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  117-227][82-82-156-47]}{Computer_Name:_JOHNJAY}{Current_User_Name:_patt
>  oo}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_341
>  0}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_260
>  0_Service_Pack_1}{Webcam:_No}
> [14:55] <O32784802> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-91]}{Computer_Name:_LOUIS-BROWNING}{Current_User_Name:_Louis_Brownin
>  g}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410
>  }{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600
>  _Service_Pack_1}{Webcam:_No}
> [14:55] *** Joins: O4031684 (~O4031684@xdsl-pool-66-186-233-196.eatel.net
> )
> [14:55] <O4031684> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-23
>  3-196]}{Computer_Name:_D3QGNK21}{Current_User_Name:_AMI}{Identification
>  _name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_Troja
>  n_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack_1}{
>  Webcam:_No}
> [14:55] *** Quits: O25926540 (Quit: Bye!)
> [14:55] *** Quits: O32784802 (Quit: Bye!)
> [14:55] *** Joins: O86993671 (~O86993671@dsl-213-023-243-153.arcor-ip.net
> )
> [14:55] *** Joins: O38066033 (~O38066033@dsl-082-082-158-142.arcor-ip.net
> )
> [14:55] <O86993671> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  62-246][213-23-243-153]}{Computer_Name:_WINDOWSXP}{Current_User_Name:_N
>  orbert_und_Andrea}{Identification_name:_Joe_Bloggs_Returns}{Installed_T
>  rojan_Port:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Win
>  dows_XP_5.1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:55] <O38066033> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  70-3][82-82-158-142]}{Computer_Name:_STIRNI-IXT1X2T9}{Current_User_Name
>  :_Meister}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Po
>  rt:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_
>  5.1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:55] *** Quits: O4031684 (Quit: Bye!)
> [14:55] *** Quits: O86993671 (Quit: Bye!)
> [14:55] *** Quits: O38066033 (Quit: Bye!)
> [14:56] *** Joins: O2686667 (bzlm@xdsl-pool-66-186-231-118.eatel.net)
> [14:56] <O2686667> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-23
>  1-118]}{Computer_Name:_DD3W4X21}{Current_User_Name:_rii_rr}{Identificat
>  ion_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_Tr
>  ojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack_
>  1}{Webcam:_No}
> [12X] Erroneous nickname, please try again.
> [14:56] *** Quits: O2686667 (Quit: Bye!)
> [14:56] *** Joins: O83755710 (~O83755710@dsl-082-082-157-243.arcor-ip.net
> )
> [14:56] <O83755710> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[82-82-15
>  7-243][169-254-138-152]}{Computer_Name:_THOMAS}{Current_User_Name:_ZEUS
>  }{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}
>  {Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_
>  Service_Pack_1}{Webcam:_No}
> [14:56] *** Joins: O42490583 (~O42490583@dsl-213-023-244-152.arcor-ip.net
> )
> [14:56] <O42490583> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-1][213-23-244-152]}{Computer_Name:_JAJA1}{Current_User_Name:_Chef}{Id
>  entification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Ins
>  talled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Serv
>  ice_Pack_1}{Webcam:_No}
> [14:56] *** Joins: O39962793 (Reggie26@xdsl-pool-66-186-232-164.eatel.net
> )
> [14:56] <O39962793> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  32-164]}{Computer_Name:_YOUR-EZ9QS4OHFG}{Current_User_Name:_Reggie}{Ide
>  ntification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Inst
>  alled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Servi
>  ce_Pack_1}{Webcam:_Yes}
> [14:56] *** Joins: O79063507 (~O79063507@dsl-082-082-158-031.arcor-ip.net
> )
> [14:56] <O79063507> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-2][82-82-158-31]}{Computer_Name:_WIECZOREK}{Current_User_Name:_F.Wiec
>  zorek}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_
>  3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_
>  2600_Service_Pack_1}{Webcam:_No}
> [14:56] *** Quits: O83755710 (Quit: Bye!)
> [14:56] *** Quits: O42490583 (Quit: Bye!)
> [12X] Erroneous nickname, please try again.
> [14:56] *** Quits: O39962793 (Quit: Bye!)
> [14:56] *** Joins: O97698986 (obrdj189@xdsl-pool-66-186-233-91.eatel.net)
> [14:56] *** Quits: O79063507 (Quit: Bye!)
> [14:56] <O97698986> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-91]}{Computer_Name:_LOUIS-BROWNING}{Current_User_Name:_Louis_Brownin
>  g}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410
>  }{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600
>  _Service_Pack_1}{Webcam:_No}
> [14:56] *** Joins: O11121298 (~O11121298@dsl-082-082-156-047.arcor-ip.net
> )
> [14:56] <O11121298> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  117-227][82-82-156-47]}{Computer_Name:_JOHNJAY}{Current_User_Name:_patt
>  oo}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_341
>  0}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_260
>  0_Service_Pack_1}{Webcam:_No}
> [14:56] *** Joins: O81466610 (~O81466610@xdsl-pool-66-186-231-110.eatel.n
> et)
> [14:56] <O81466610> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  31-110]}{Computer_Name:_JANE-3S3KAPVSUJ}{Current_User_Name:_Jane}{Ident
>  ification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Instal
>  led_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service
>  _Pack_1}{Webcam:_No}
> [14:56] *** Quits: O97698986 (Quit: Bye!)
> [14:56] *** Quits: O11121298 (Quit: Bye!)
> [14:56] *** Quits: O81466610 (Quit: Bye!)
> [14:56] *** Quits: O41147358 (Ping timeout: 180 seconds)
> [14:56] *** Joins: O64071293 (~O64071293@xdsl-pool-66-186-233-196.eatel.n
> et)
> [14:56] <O64071293> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-196]}{Computer_Name:_D3QGNK21}{Current_User_Name:_AMI}{Identificatio
>  n_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_Troj
>  an_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack_1}
>  {Webcam:_No}
> [14:56] *** Joins: O90096394 (~O90096394@dsl-082-082-158-142.arcor-ip.net
> )
> [14:56] <O90096394> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  70-3][82-82-158-142]}{Computer_Name:_STIRNI-IXT1X2T9}{Current_User_Name
>  :_Meister}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Po
>  rt:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_
>  5.1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:56] *** Joins: O47218992 (~O47218992@dsl-213-023-243-153.arcor-ip.net
> )
> [14:56] *** Quits: O64071293 (Quit: Bye!)
> [14:57] *** Quits: O90096394 (Quit: Bye!)
> [14:57] *** Joins: O92370138 (xcdkckhkd@xdsl-pool-66-186-231-118.eatel.ne
> t)
> [14:57] <O92370138> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  31-118]}{Computer_Name:_DD3W4X21}{Current_User_Name:_rii_rr}{Identifica
>  tion_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_T
>  rojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack
>  _1}{Webcam:_No}
> [14:57] *** Joins: O46089129 (~O46089129@dsl-082-082-157-243.arcor-ip.net
> )
> [14:57] *** Joins: O57197547 (~O57197547@dsl-213-023-244-152.arcor-ip.net
> )
> [14:57] <O57197547> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-1][213-23-244-152]}{Computer_Name:_JAJA1}{Current_User_Name:_Chef}{Id
>  entification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Ins
>  talled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Serv
>  ice_Pack_1}{Webcam:_No}
> [14:57] *** Quits: O92370138 (Quit: Bye!)
> [14:57] *** Joins: O39992463 (Reggie26@xdsl-pool-66-186-232-164.eatel.net
> )
> [14:57] <O39992463> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  32-164]}{Computer_Name:_YOUR-EZ9QS4OHFG}{Current_User_Name:_Reggie}{Ide
>  ntification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Inst
>  alled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Servi
>  ce_Pack_1}{Webcam:_Yes}
> [14:57] *** Joins: O26840934 (~O26840934@dsl-082-082-158-031.arcor-ip.net
> )
> [14:57] <O26840934> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-2][82-82-158-31]}{Computer_Name:_WIECZOREK}{Current_User_Name:_F.Wiec
>  zorek}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_
>  3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_
>  2600_Service_Pack_1}{Webcam:_No}
> [14:57] *** Quits: O57197547 (Quit: Bye!)
> [14:57] *** Quits: O39992463 (Quit: Bye!)
> [14:57] *** Quits: O26840934 (Quit: Bye!)
> [14:57] *** Joins: O93450467 (obrdj189@xdsl-pool-66-186-233-91.eatel.net)
> [14:57] <O93450467> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-91]}{Computer_Name:_LOUIS-BROWNING}{Current_User_Name:_Louis_Brownin
>  g}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410
>  }{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600
>  _Service_Pack_1}{Webcam:_No}
> [14:57] *** Joins: O20023043 (~O20023043@dsl-082-082-156-047.arcor-ip.net
> )
> [14:57] <O20023043> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  117-227][82-82-156-47]}{Computer_Name:_JOHNJAY}{Current_User_Name:_patt
>  oo}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_341
>  0}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_260
>  0_Service_Pack_1}{Webcam:_No}
> [14:57] *** Joins: O29378273 (~O29378273@xdsl-pool-66-186-231-110.eatel.n
> et)
> [14:57] <O29378273> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  31-110]}{Computer_Name:_JANE-3S3KAPVSUJ}{Current_User_Name:_Jane}{Ident
>  ification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Instal
>  led_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service
>  _Pack_1}{Webcam:_No}
> [14:57] *** Quits: O93450467 (Quit: Bye!)
> [14:57] *** Quits: O20023043 (Quit: Bye!)
> [14:57] *** Quits: O29378273 (Quit: Bye!)
> [14:57] *** Joins: O55323265 (~O55323265@xdsl-pool-66-186-233-196.eatel.n
> et)
> [14:57] <O55323265> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-196]}{Computer_Name:_D3QGNK21}{Current_User_Name:_AMI}{Identificatio
>  n_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_Troj
>  an_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack_1}
>  {Webcam:_No}
> [14:57] *** Joins: O4348300 (~O4348300@dsl-082-082-158-142.arcor-ip.net)
> [14:57] <O4348300> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-7
>  0-3][82-82-158-142]}{Computer_Name:_STIRNI-IXT1X2T9}{Current_User_Name:
>  _Meister}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Por
>  t:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5
>  .1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:57] *** Quits: O55323265 (Quit: Bye!)
> [14:57] *** Joins: O59415107 (~O59415107@dsl-213-023-243-153.arcor-ip.net
> )
> [14:57] <O59415107> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  62-246][213-23-243-153]}{Computer_Name:_WINDOWSXP}{Current_User_Name:_N
>  orbert_und_Andrea}{Identification_name:_Joe_Bloggs_Returns}{Installed_T
>  rojan_Port:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Win
>  dows_XP_5.1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:58] *** Quits: O4348300 (Quit: Bye!)
> [14:58] *** Quits: O59415107 (Quit: Bye!)
> [14:58] *** Joins: O59143259 (poenkqz@xdsl-pool-66-186-231-118.eatel.net)
> [14:58] <O59143259> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  31-118]}{Computer_Name:_DD3W4X21}{Current_User_Name:_rii_rr}{Identifica
>  tion_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_T
>  rojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack
>  _1}{Webcam:_No}
> [14:58] *** Joins: O15416911 (~O15416911@dsl-082-082-157-243.arcor-ip.net
> )
> [14:58] <O15416911> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[82-82-15
>  7-243][169-254-138-152]}{Computer_Name:_THOMAS}{Current_User_Name:_ZEUS
>  }{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}
>  {Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_
>  Service_Pack_1}{Webcam:_No}
> [14:58] *** Joins: O22089898 (~O22089898@dsl-213-023-244-152.arcor-ip.net
> )
> [14:58] *** Quits: O59143259 (Quit: Bye!)
> [14:58] <O22089898> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-1][213-23-244-152]}{Computer_Name:_JAJA1}{Current_User_Name:_Chef}{Id
>  entification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Ins
>  talled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Serv
>  ice_Pack_1}{Webcam:_No}
> [12X] Netsplit detected at 122:58pm between 
> 12ircd.servercentral.net and
>  12ircd.arcti.ca
> [12X] Press 12sF10 to see who split away.
> [12X] To join split (12ircd.arcti.ca) in an irc2 session, 
> press 12F11.
> [14:58] *** Quits: O22089898 (Quit: Bye!)
> [14:58] *** Quits: O15416911 (Quit: Bye!)
> [14:58] *** Joins: O66411217 (Reggie26@xdsl-pool-66-186-232-164.eatel.net
> )
> [14:58] <O66411217> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  32-164]}{Computer_Name:_YOUR-EZ9QS4OHFG}{Current_User_Name:_Reggie}{Ide
>  ntification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Inst
>  alled_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Servi
>  ce_Pack_1}{Webcam:_Yes}
> [14:58] *** Joins: O69423328 (~O69423328@dsl-082-082-158-031.arcor-ip.net
> )
> [14:58] <O69423328> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[192-168-
>  0-2][82-82-158-31]}{Computer_Name:_WIECZOREK}{Current_User_Name:_F.Wiec
>  zorek}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_
>  3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_
>  2600_Service_Pack_1}{Webcam:_No}
> [14:58] *** Joins: O83035184 (~O83035184@dsl-082-082-156-047.arcor-ip.net
> )
> [14:58] *** Joins: O17276233 (obrdj189@xdsl-pool-66-186-233-91.eatel.net)
> [14:58] <O83035184> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-
>  117-227][82-82-156-47]}{Computer_Name:_JOHNJAY}{Current_User_Name:_patt
>  oo}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_341
>  0}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_260
>  0_Service_Pack_1}{Webcam:_No}
> [14:58] <O17276233> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-91]}{Computer_Name:_LOUIS-BROWNING}{Current_User_Name:_Louis_Brownin
>  g}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410
>  }{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600
>  _Service_Pack_1}{Webcam:_No}
> [14:58] *** Joins: O1187081 (~O1187081@xdsl-pool-66-186-231-110.eatel.net
> )
> [14:58] <O1187081> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-23
>  1-110]}{Computer_Name:_JANE-3S3KAPVSUJ}{Current_User_Name:_Jane}{Identi
>  fication_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Install
>  ed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_
>  Pack_1}{Webcam:_No}
> [14:58] *** Quits: O96762633 (Ping timeout: 180 seconds)
> [14:58] *** Quits: O66411217 (Quit: Bye!)
> [14:58] *** Quits: O69423328 (Quit: Bye!)
> [14:58] *** Quits: O83035184 (Quit: Bye!)
> [14:58] *** Quits: O17276233 (Quit: Bye!)
> [14:58] *** Quits: O1187081 (Quit: Bye!)
> [14:58] *** Joins: O42189641 (~O42189641@xdsl-pool-66-186-233-196.eatel.n
> et)
> [14:58] <O42189641> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[66-186-2
>  33-196]}{Computer_Name:_D3QGNK21}{Current_User_Name:_AMI}{Identificatio
>  n_name:_Joe_Bloggs_Returns}{Installed_Trojan_Port:_3410}{Installed_Troj
>  an_Password:_NONE}{Windows_Version:_Windows_XP_5.1_2600_Service_Pack_1}
>  {Webcam:_No}
> [14:58] *** Joins: O8709877 (~O8709877@dsl-082-082-158-142.arcor-ip.net)
> [14:58] <O8709877> Optix_Pro_v1.31_Server_Online:_{Ip_address:_[169-254-7
>  0-3][82-82-158-142]}{Computer_Name:_STIRNI-IXT1X2T9}{Current_User_Name:
>  _Meister}{Identification_name:_Joe_Bloggs_Returns}{Installed_Trojan_Por
>  t:_3410}{Installed_Trojan_Password:_NONE}{Windows_Version:_Windows_XP_5
>  .1_2600_Service_Pack_1}{Webcam:_Yes}
> [14:58] *** Quits: O42189641 (Quit: Bye!)
> End of #rpcfucked buffer    Fri Aug 08 14:58:58 2003
>
> With Regard,
> William Reyor
> http://www.topsight.net
>
>
> -----Original Message-----
>
>> From: Lee Evans [mailto:leeat_private] Sent: Wednesday, August 06, 
>> 2003 5:50 AM
>> To: incidentsat_private
>> Subject: Secure.dcom.exe
>
>
> Hi All,
>
>>
>> I have found an executable called secure.dcom.exe when looking around 
>> a customers server. They hadnt patched the server above SP4 and I 
>> assume it has been exploited using the RPC DCOM vulnerability. A 
>> serv-u ftp server has been installed, but im still looking into it to 
>> see if I can spot anything else. Netstat shows a bunch of outgoing 
>> connections to 6667 - irc.homelien.no. Unfortunately there are no IDS 
>> or other systems on this network segment I can use, so im looking for 
>> someway to capture this traffic and hopefully track down some more 
>> details on the irc traffic - if anyone can recommend a good 
>> (preferably free) traffic sniffer I can quickly install on the host 
>> locally (win2k sp4) to decode the IRC traffic I would be grateful.
>
>
>
>
>
>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Next message: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Previous message: opticfiber: "[Full-Disclosure] RE: Secure.dcom.exe"
In reply to: opticfiber: "[Full-Disclosure] RE: Secure.dcom.exe"
Next in thread: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Next in thread: Harlan Carvey: "Re: Secure.dcom.exe"
Reply: Wcc: "RE: [Full-Disclosure] Re: Secure.dcom.exe"
Reply: morning_wood: "Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:37:14 PDT