 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Ethereal http://www.ethereal.com/ Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Lee Evans [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 5:50 AM > To: [EMAIL PROTECTED] > Subject: Secure.dcom.exe > > > Hi All, > > I have found an executable called secure.dcom.exe when > looking around a customers server. They hadnt patched the > server above SP4 and I assume it has been exploited using the > RPC DCOM vulnerability. A serv-u ftp server has been > installed, but im still looking into it to see if I can spot > anything else. Netstat shows a bunch of outgoing connections > to 6667 - irc.homelien.no. Unfortunately there are no IDS or > other systems on this network segment I can use, so im > looking for someway to capture this traffic and hopefully > track down some more details on the irc traffic - if anyone > can recommend a good (preferably free) traffic sniffer I can > quickly install on the host locally (win2k sp4) to decode the > IRC traffic I would be grateful. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.