[Dshield] WMF - Signs of compromise

Fielder, Wayne (CPE) Wayne.Fielder at ky.gov
Tue Jan 3 13:26:03 GMT 2006

My guess is it really depends on what is being executed in the shell code.
I'm certain there are hundreds of variants out there or in the works by now
but if they follow the same pattern that FRSirt released the other day then
it's all about the shell baby.  

I didn't find this interesting in a "Hey! There's a train wreck!" kind of


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Taylor
Sent: Tuesday, January 03, 2006 4:58 AM
To: General DShield Discussion List
Subject: [Dshield] WMF - Signs of compromise

Since evil doers can insert code of choice into these files to compromise
your system does anyone know if exploiting the actual vulnerability leaves
some kind of evidence behind?  Such as eventlog entries, specific dump
files, etc?

I think it would be a moot venture to try and let our users know what to
look for as far as backdoors, keyloggers and the like but it would be nice
if there was a specific thing we could tell them to look for.

David Taylor //Sr. Information Security Specialist University of
Pennsylvania Information Security Philadelphia PA USA
(215) 898-1236

SANS - The Twenty Most Critical Internet Security Vulnerabilities

SANS - Internet Storm Center

irc.freenode.net #dshield

Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list