[Dshield] WMF - Signs of compromise

Tom dshield at oitc.com
Tue Jan 3 18:22:50 GMT 2006


At least the one I looked at starts up IEXPLORER.EXE upon startup.

Tom

At 4:57 AM -0500 1/3/06, David Taylor wrote:
>Since evil doers can insert code of choice into these files to compromise
>your system does anyone know if exploiting the actual vulnerability leaves
>some kind of evidence behind?  Such as eventlog entries, specific dump
>files, etc?
>
>I think it would be a moot venture to try and let our users know what to
>look for as far as backdoors, keyloggers and the like but it would be nice
>if there was a specific thing we could tell them to look for.
>
>
>==================================================
>David Taylor //Sr. Information Security Specialist
>University of Pennsylvania Information Security
>Philadelphia PA USA
>(215) 898-1236
>http://www.upenn.edu/computing/security/
>==================================================
>
>SANS - The Twenty Most Critical Internet Security Vulnerabilities
>http://www.sans.org/top20/
>
>SANS - Internet Storm Center
>http://isc.sans.org
>
>irc.freenode.net #dshield
>http://freenode.net/
>
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
http://www.oitc.com/Antarctica/

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD


More information about the list mailing list