Re: Trojan of somesort - Update

[Gadi Evron <ge () linuxbox org>]

> That's interesting.  The last one that I looked at had been hacked 
> through IIS, using RFP's MSACD exploit - twice - in two different 
> months.  (This was obvious by correlating the dates of the log entries 
> with the creation dates of the corresponding files.

Although looking at the dates of files is one of the simpler and more 
important tool when investigating a possible issue, we need to keep in 
mind how easy it is to change it.

It's easier on some systems than others, and practically ridiculous on 
FAT file systems.

        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450