 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Lee Evans <mailto:[EMAIL PROTECTED]> scribbled on Wednesday, August 06, 2003 12:50 PM: > I have found an executable called secure.dcom.exe when looking around > a customers server. They hadnt patched the server above SP4 and I > assume it has been exploited using the RPC DCOM vulnerability. A > serv-u ftp server has been installed, but im still looking into it to > see if I can spot anything else. Netstat shows a bunch of outgoing > connections to 6667 - irc.homelien.no. Unfortunately there are no IDS > or other systems on this network segment I can use, so im looking for > someway to capture this traffic and hopefully track down some more > details on the irc traffic - if anyone can recommend a good > (preferably free) traffic sniffer I can quickly install on the host > locally (win2k sp4) to decode the IRC traffic I would be grateful. TCPDump is the "de facto" pakket analyser/capture tool, there's a windows port available [1]. If you feel more comfortable using a GUI, you can grab Ethereal [2]. Heck, there's even a Win32 port of dsniff available [3]. All these tools are, as far as I know, freely available. [1] http://windump.polito.it/ [2] http://www.ethereal.com/ [3] http://www.datanerds.net/~mike/dsniff.html Cheers, Steve -- echo [EMAIL PROTECTED] | tr @. .@ http://www.incunabula.be/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.