[unisog] Windows Command Prompt in the clear in the network?

Gary Dobbins dobbins at nd.edu
Wed Oct 11 21:10:05 GMT 2006


The RCMD utility *may* produce traffic with that banner (depends on 
how the RPC is marshalled) - it was included in Windows Resource Kits 
years ago.  Used DCOM/RPC to remote a command shell.

   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies


Glenn Forbes Fleming Larratt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Folks,
> 
> Honeypot and honeynet issues aside:
> 
>    - is the presence in the clear of a Windows Command Prompt, from a high
>      TCP source port to a high destination port, *ever*
>      legitimate/normal/to be expected in the Windows world?
> 
>    - if not, is that presence *always* indicate of compromise, or at least
>      of a vulnerability having been exploited?
> 
> We have noted a 1-to-1 correspondence so far between compromised machines
> in our network and a Command Prompt banner
> 
>      Microsoft Windows {XP,2000}...
> 
> or
> 
>      Microsoft(R) Windows NT...
> 
> appearing in the sample payload of our network flow recorder (QRadar).
> 
> Please reply to me, I will summarize to the list.
> 
> Thanks,
> - --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> 
> iD8DBQFFLVp2Lyw7nZwiKgQRAiGpAJ0bN59ES9Dbtr4BrR4zaaH/x17RDgCffmF7
> yhOlmTQEKSvRAWrPEtb0Bro=
> =vnyQ
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list