Secure.dcom.exe

• Previous message: Pete Phillips: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
• Next in thread: Schmehl, Paul L: "RE: Secure.dcom.exe"
• Maybe reply: Schmehl, Paul L: "RE: Secure.dcom.exe"
• Maybe reply: Lee Evans: "RE: Secure.dcom.exe"
• Maybe reply: GMHoward: "FW: Secure.dcom.exe"
• Reply: De Doncker, Steve: "RE: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Reply: Javier Liendo: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "RE: Secure.dcom.exe"
• Maybe reply: Harlan Carvey: "Re: Secure.dcom.exe"
• Reply: Sorin Victor DUDEA: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Maybe reply: Eric Hines: "Re: Secure.dcom.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Wed, 6 Aug 2003 11:50:13 +0100

Hi All,

I have found an executable called secure.dcom.exe when looking around a
customers server. They hadnt patched the server above SP4 and I assume it
has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
been installed, but im still looking into it to see if I can spot anything
else. Netstat shows a bunch of outgoing connections to 6667 -
irc.homelien.no. Unfortunately there are no IDS or other systems on this
network segment I can use, so im looking for someway to capture this traffic
and hopefully track down some more details on the irc traffic - if anyone
can recommend a good (preferably free) traffic sniffer I can quickly install
on the host locally (win2k sp4) to decode the IRC traffic I would be
grateful.

The exe is available from http://www.leeevans.org/secure.dcom.exe - if
anyone wants a look. I'd be interested to know more about it, if anyone has
come across it before or can find out.

Regards
Lee

-- 
Lee Evans
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Pete Phillips: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
• Next in thread: Schmehl, Paul L: "RE: Secure.dcom.exe"
• Maybe reply: Schmehl, Paul L: "RE: Secure.dcom.exe"
• Maybe reply: Lee Evans: "RE: Secure.dcom.exe"
• Maybe reply: GMHoward: "FW: Secure.dcom.exe"
• Reply: De Doncker, Steve: "RE: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Reply: Javier Liendo: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "RE: Secure.dcom.exe"
• Maybe reply: Harlan Carvey: "Re: Secure.dcom.exe"
• Reply: Sorin Victor DUDEA: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Maybe reply: Ivan Coric: "Re: Secure.dcom.exe"
• Maybe reply: Eric Hines: "Re: Secure.dcom.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]