Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Secure.dcom.exe
.

  • To: <[EMAIL PROTECTED]>
  • Subject: Secure.dcom.exe
  • From: "Lee Evans" <[EMAIL PROTECTED]>
  • Date: Wed, 6 Aug 2003 11:50:13 +0100
.
 
Hi All,

I have found an executable called secure.dcom.exe when looking around a
customers server. They hadnt patched the server above SP4 and I assume it
has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
been installed, but im still looking into it to see if I can spot anything
else. Netstat shows a bunch of outgoing connections to 6667 -
irc.homelien.no. Unfortunately there are no IDS or other systems on this
network segment I can use, so im looking for someway to capture this traffic
and hopefully track down some more details on the irc traffic - if anyone
can recommend a good (preferably free) traffic sniffer I can quickly install
on the host locally (win2k sp4) to decode the IRC traffic I would be
grateful.

The exe is available from http://www.leeevans.org/secure.dcom.exe - if
anyone wants a look. I'd be interested to know more about it, if anyone has
come across it before or can find out.

Regards
Lee
-- 
Lee Evans


---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.