Re: Secure.dcom.exe
From: Ivan Coric (ivan.coric_at_workcoverqld.com.au)
Date: 08/08/03
- Previous message: Ivan Coric: "Re: Secure.dcom.exe"
- Maybe in reply to: Lee Evans: "Secure.dcom.exe"
- Next in thread: Eric Hines: "Re: Secure.dcom.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Aug 2003 09:13:56 +1000 To: <lee@leeevans.org>, <talisker@networkintrusion.co.uk>, <incidents@securityfocus.com>, <ivan.coric@workcoverqld.com.au>
Hi Andy,
I should also explain that in the context of the question asked, that installing a ethereal + winpcap, maybe a reboot etc.. or alternatively dropping a small exe on the box and then capturing some traffic would seem like a better idea.
Regards
Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric@workcoverqld.com.au
>>> offthecuff@lineone.net 08/07/03 09:39pm >>>
Hi Ivan
I'm interested in why you see ngsniff as a better alternative to Ethereal?
other than it's comparatively tiny size and not requiring WinPcap ??
I feel the strength in Ethereal it's awareness of some many different
protocols, it's gui is fairly slick now and the tcp stream reassembly is
sweet
thoughts??
take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Ivan Coric" <ivan.coric@workcoverqld.com.au>
To: <lee@leeevans.org>; <incidents@securityfocus.com>
Sent: Thursday, August 07, 2003 1:29 AM
Subject: RE: Secure.dcom.exe
Lee,
to run ethereal on win32 you need to install winpcap also, ngsniff is a
better alternative.
cheers
Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric@workcoverqld.com.au
>>> "Lee Evans" <lee@leeevans.org> 08/07/03 09:38am >>>
Hi,
Thanks to all who have replied - I wasn't aware ethereal was available
as a win32 build - that will do perfectly.
Regards
Lee
-- Lee Evans > -----Original Message----- > From: rocky_scotti@na.dole.com [mailto:rocky_scotti@na.dole.com] > Sent: 07 August 2003 00:34 > To: Lee Evans > Subject: Re: Secure.dcom.exe > > > Hi Lee, > > this one is great and its free... > > http://www.ethereal.com/ > > Let us know what you find... im interested. > > Rocky > > > > > "Lee Evans" > > <lee@leeevans.org To: > <incidents@securityfocus.com> > > cc: > > Subject: > Secure.dcom.exe > 08/06/2003 03:50 > > AM > > > > > > > > > > Hi All, > > I have found an executable called secure.dcom.exe when > looking around a customers server. They hadnt patched the > server above SP4 and I assume it has been exploited using the > RPC DCOM vulnerability. A serv-u ftp server has been > installed, but im still looking into it to see if I can spot > anything else. Netstat shows a bunch of outgoing connections > to 6667 - irc.homelien.no. Unfortunately there are no IDS or > other systems on this network segment I can use, so im > looking for someway to capture this traffic and hopefully > track down some more details on the irc traffic - if anyone > can recommend a good (preferably free) traffic sniffer I can > quickly install on the host locally (win2k sp4) to decode the > IRC traffic I would be grateful. > > The exe is available from > http://www.leeevans.org/secure.dcom.exe - if > anyone wants a > look. I'd be interested to know more about it, if anyone has > come across it before or can find out. > > Regards > Lee > -- > Lee Evans > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > > > > > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Ivan Coric: "Re: Secure.dcom.exe"
- Maybe in reply to: Lee Evans: "Secure.dcom.exe"
- Next in thread: Eric Hines: "Re: Secure.dcom.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
