moomba's blog

Thank You Firefox for letting me know of Adobe's vulnerable Flash

I upgraded Firefox and they let me know Adobe Flash needed to be updated.  Very Cool.  Thanks Firefox.


Removing a Bad Windows Dll that is used by many processes

So I found this bad okajocetuwe.dll (window essentials says its a Trojan:Win32/Hiloti.gen!D) on this remote machine. So to start the removal process. For one the dll was used by almost every process running on the box. Take a look. I used psexec, wmic, tasklist, taskkill for this exercise.

psexec \\ipaddress cmd.exe

C:\WINDOWS\system32>tasklist /m okaj*

Image Name PID Modules
========================= ====== ==================
explorer.exe 1656 okajocetuwe.dll
Apoint.exe 1380 okajocetuwe.dll

Quick Windows Script to get IP addresses from known computer names

1.  Create a file name computernames.txt and place your computer names in that file.   

2.  Create a file named findips.bat in the same directory as the computernames.txt and paste the the highlighted contents below in that file and save.

Since there is no awk for windows I decided to use powershell.  So basically the powershell command acts as my awk equivalent for windows.

SANS 560 Index is now Viewable - Sorry I had permissions issues.

Please click the following link in order to get the SANs 560 Index.

What is this - not operating SSL?

Unless I am not understanding how flash works when taking in credit card information from a site but it sure does appear that is taking credit cards in an unsecured fashion.  Some one please explain this?

How to change Terminal Services Port Via the Command line

Say we want to make Terminal Services listen on port 2222


Use a decimal to hex editor for your port choosing.  I am using 2222.  The hexadecimal value is 8ae for 2222.

You can also drop into powershell and use the Convert command at the command  prompt by typing


>[Convert]::ToString(2222, 16)

This will display 8ae.

How to find strange Windows executables running via WMIC

C:\wmic PROCESS GET ExecutablePath, Commandline, ProcessID, ParentProcessID

If you leave off everything after Process you can see all your searchable options.  > wmic Process |more  or

Dr. Eric Cole will be presenting July 20th at the ITC building in Charlotte for Charlotte ISSA

Dr. Eric Cole, Ryan Linn, and JP Dunning are schedule to speak on July 20th at the ITC building (200 N. College, Charlotte, 28202). This will be a half day event starting at 9:00am going a little past lunch

For more information check out the Charlotte ISSA site here

Myrtle Beach Techno Security Conference is free to Charlotte ISSA members

For those Charlotte ISSA members that attended the 2010 ISSA Summit in April remember that the Myrtle Beach Techno Security Conference is free. This is a $1495 dollar value for free. I am going to try and go but I do not think my schedule will permit. The dates for this event is June 6th to the 9th. You can register for the event by emailing the following:

Contact us at
or call 719-488-4500.

Download the registration form at

TFTP script for PIX firewall's to a Linux box

Yeah I hate to say it but we are TFTPing our backup configs to a TFTP server even though to log into the server we use ssh.  Sometimes I just hate the Cisco IOS or maybe I am to stupid to figure out how to scp these suckers from there.  Anyhow if anyone is still TFTPing here is a basic script to touch the file so you can write it to the server.  Probably just need to update the IOS.  :)