Re: Secure.dcom.exe

From: Eric Hines (eric.hinesat_private)
Date: Fri Aug 08 2003 - 05:17:46 PDT

Next message: Miguel Ibarra: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."

Previous message: Ivan Coric: "Re: Secure.dcom.exe"
Maybe in reply to: Lee Evans: "Secure.dcom.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lee,

Just download the win32 version of snort (www.snort.org), you will have to 
install Winpcap (http://winpcap.polito.it) and use it in sniffer mode. Combine 
with some fancy bpf filters:

c:\snort\snort -vXed
c:\snort\snort -vXed 'src or dst port 6667'

Or you could just use windump and/or ethereal.

=============================================
Eric Hines
Senior Intrusion Analyst 
Allstate Information Security
---------------------------------------------
[e] ehin4at_private
[c] (847) 830-2883
[a] 1075818at_private
---------------------------------------------
3075 Sanders Road
Suite G2E
Northbrook, IL 60062
=============================================




-----Original Message-----
From: Lee Evans [mailto:leeat_private]
Sent: Wednesday, August 06, 2003 5:50 AM
To: incidentsat_private
Subject: Secure.dcom.exe


Hi All,

I have found an executable called secure.dcom.exe when looking around a
customers server. They hadnt patched the server above SP4 and I assume it
has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
been installed, but im still looking into it to see if I can spot anything
else. Netstat shows a bunch of outgoing connections to 6667 -
irc.homelien.no. Unfortunately there are no IDS or other systems on this
network segment I can use, so im looking for someway to capture this traffic
and hopefully track down some more details on the irc traffic - if anyone
can recommend a good (preferably free) traffic sniffer I can quickly install
on the host locally (win2k sp4) to decode the IRC traffic I would be
grateful.

The exe is available from http://www.leeevans.org/secure.dcom.exe - if
anyone wants a look. I'd be interested to know more about it, if anyone has
come across it before or can find out.

Regards
Lee
-- 
Lee Evans

-------------------------------------------
Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hinesat_private
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------






-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Miguel Ibarra: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Previous message: Ivan Coric: "Re: Secure.dcom.exe"
Maybe in reply to: Lee Evans: "Secure.dcom.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 16:14:32 PDT