Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Secure.dcom.exe
.

  • To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: Re: Secure.dcom.exe
  • From: "Ivan Coric" <[EMAIL PROTECTED]>
  • Date: Thu, 07 Aug 2003 09:24:34 +1000
.
 
Hi Lee,
ngsniff from     http://www.ngsec.com/ngresearch/ngtools/
no drivers required.

cheers


Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: [EMAIL PROTECTED]

>>> "Lee Evans" <[EMAIL PROTECTED]> 08/06/03 08:50pm >>>
Hi All,

I have found an executable called secure.dcom.exe when looking around a
customers server. They hadnt patched the server above SP4 and I assume it
has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
been installed, but im still looking into it to see if I can spot anything
else. Netstat shows a bunch of outgoing connections to 6667 -
irc.homelien.no. Unfortunately there are no IDS or other systems on this
network segment I can use, so im looking for someway to capture this traffic
and hopefully track down some more details on the irc traffic - if anyone
can recommend a good (preferably free) traffic sniffer I can quickly install
on the host locally (win2k sp4) to decode the IRC traffic I would be
grateful.

The exe is available from http://www.leeevans.org/secure.dcom.exe - if
anyone wants a look. I'd be interested to know more about it, if anyone has
come across it before or can find out.

Regards
Lee
-- 
Lee Evans


---------------------------------------------------------------------------
----------------------------------------------------------------------------







***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times.
This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.