Lee, Just download the win32 version of snort (www.snort.org), you will have to install Winpcap (http://winpcap.polito.it) and use it in sniffer mode. Combine with some fancy bpf filters: c:\snort\snort -vXed c:\snort\snort -vXed 'src or dst port 6667' Or you could just use windump and/or ethereal. ============================================= Eric Hines Senior Intrusion Analyst Allstate Information Security --------------------------------------------- [e] ehin4at_private [c] (847) 830-2883 [a] 1075818at_private --------------------------------------------- 3075 Sanders Road Suite G2E Northbrook, IL 60062 ============================================= -----Original Message----- From: Lee Evans [mailto:leeat_private] Sent: Wednesday, August 06, 2003 5:50 AM To: incidentsat_private Subject: Secure.dcom.exe Hi All, I have found an executable called secure.dcom.exe when looking around a customers server. They hadnt patched the server above SP4 and I assume it has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has been installed, but im still looking into it to see if I can spot anything else. Netstat shows a bunch of outgoing connections to 6667 - irc.homelien.no. Unfortunately there are no IDS or other systems on this network segment I can use, so im looking for someway to capture this traffic and hopefully track down some more details on the irc traffic - if anyone can recommend a good (preferably free) traffic sniffer I can quickly install on the host locally (win2k sp4) to decode the IRC traffic I would be grateful. The exe is available from http://www.leeevans.org/secure.dcom.exe - if anyone wants a look. I'd be interested to know more about it, if anyone has come across it before or can find out. Regards Lee -- Lee Evans ------------------------------------------- Eric Hines CEO, Chairman Applied Watch Technologies, Inc. web: http://www.appliedwatch.com email: eric.hinesat_private ------------------------------------------- Direct: (877) 262-7593 - Toll Free x327 Fax: (815) 425-2173 General: (877) 262-7593 (9am-5pm CST) ------------------------------------------- ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 16:14:32 PDT