|
Security Incidents
mailing list archives
Re: Trojan of somesort - Update
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 28 May 2004 18:24:39 +0200
That's interesting. The last one that I looked at had been hacked
through IIS, using RFP's MSACD exploit - twice - in two different
months. (This was obvious by correlating the dates of the log entries
with the creation dates of the corresponding files.
Although looking at the dates of files is one of the simpler and more
important tool when investigating a possible issue, we need to keep in
mind how easy it is to change it.
It's easier on some systems than others, and practically ridiculous on
FAT file systems.
Gadi Evron.
--
Email: ge () linuxbox org Work: gadie () cbs gov il Backup: ge () warp mx dk
Phone: +972-50-428610 (Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email:
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
 By Date 
By Thread
Current thread:
Re: Trojan of somesort - Update Harlan Carvey (May 27)
Re: Trojan of somesort - Update Martin Mačok (May 28)
Re: Trojan of somesort - Update Derek (May 28)
|
Intro
