[Dshield] Continued Sighting of Download.Ject

Johannes B. Ullrich jullrich at euclidian.com
Mon Jun 28 10:55:22 GMT 2004

> if understand correctly what I've read till now the actual IIS-Exploit that 
> makes it possible to place JSs is still not clear! MS04-11 only fixes the 
> known issues, but there seems to be some evidence that there is a 0-day 
> exploit for something else that was used.

According to Microsoft, there is no evidence of a 0-day exploit,
and they say all machines they looked at where not fully patched
(or not rebooted after the patch).

iDefense on the other hand claims that they did see systems that
where fully patched.

In my opinion, these servers have likely been compromised a while
ago, and got 'stashed away' for their big day.

Remember, that for example the SSL-PCT exploit was available to
the public at large within less then 2 weeks after the patch
was released. It is likely that it took admins longer then that
to patch, in particular as the first version of MS04-011 crashed
some servers. 

If you patch a server, its always a good idea to do a thorough
check to verify that the server hasn't already been compromised.
Having a host based intrusion detection tool like Tripwire 
installed can be very helpful in this case. 

Visiting SANSFIRE?? Stop by at IPNet and say Hi ;-)
Johannes Ullrich                     jullrich at euclidian.com
contact: http://johannes.homepc.org/contact.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040628/b5ca7543/attachment.bin

More information about the list mailing list