[Dshield] WMF - Signs of compromise

Tom dshield at oitc.com
Tue Jan 3 18:22:50 GMT 2006

At least the one I looked at starts up IEXPLORER.EXE upon startup.


At 4:57 AM -0500 1/3/06, David Taylor wrote:
>Since evil doers can insert code of choice into these files to compromise
>your system does anyone know if exploiting the actual vulnerability leaves
>some kind of evidence behind?  Such as eventlog entries, specific dump
>files, etc?
>I think it would be a moot venture to try and let our users know what to
>look for as far as backdoors, keyloggers and the like but it would be nice
>if there was a specific thing we could tell them to look for.
>David Taylor //Sr. Information Security Specialist
>University of Pennsylvania Information Security
>Philadelphia PA USA
>(215) 898-1236
>SANS - The Twenty Most Critical Internet Security Vulnerabilities
>SANS - Internet Storm Center
>irc.freenode.net #dshield
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD

More information about the list mailing list