Government Security
Network Security Resources

Jump to content

Photo

Metasploit Question: Files Found On Network Host

server network exploit
  • Please log in to reply
1 reply to this topic

#1 Jasta53

Jasta53

    Private

  • Members
  • 2 posts

Posted 01 August 2012 - 05:02 AM

Hi all,

I'm hoping I can get some feedback from any that are more familiar with Metasploit than I am. Our End Point protection flagged the following yesterday on one of our machines:

User: NT AUTHORITY\SYSTEM
Scan: Scan Schedule
Machine: LT0591

File "C:\Documents and Settings\Administrator\Application Data\msf3\data\meterpreter\ext_server_stdapi.dll"


I am trying to determine if the above indicates that someone tried to install the Metasploit framework on the system or is this the result of a successful exploit against that box?

Thanks much for any input.

J

#2 Jasta53

Jasta53

    Private

  • Members
  • 2 posts

Posted 01 August 2012 - 01:07 PM

I'll close this after more research. Answer was that the Meterpreter payload on a compromised host only lives in memory and doesn't write to target drive. The above was the result of an install of an older version of Metasploit on that machine and the AV picked up that .dll because of a new sig addition to the .dat. The framework had been uninstalled but this .dll was left behind and finally triggered the AV following a new .dat release.

J





Also tagged with one or more of these keywords: server, network, exploit