Educause Security Discussion mailing list archives
Re: what is your advice to your users
From: David Taylor <ltr () ISC UPENN EDU>
Date: Thu, 5 Jan 2006 06:23:26 -0500
We were trying to figure out how to tell if a system has been compromised as well. There are so many ways to deliver the payload and since people can insert their own code it would be pretty much impossible to have a tool to clean the system. We have been wondering if there is a way to even tell if a system has been exploited. Some evil doers may just exploit a system and plant a rootkit with keylogger and not show any noticeable signs they are there. I would also guess that these intruders might use one of the patches available to plug the WMF hole. Does anyone know if the actual exploit of the WMF vulnerability generate some kind of eventlog entry or leave a dump file behind of some type? This would be at least a way to see if the system was exploited. I don't have an XP system at this time to test this on. Some other frightening things to think about as far as how some may try to exploit this vulnerability: Breaking into one machine on a Windows network and planting an evil WMF on a network share. Could compromise the server as well as anyone else browsing the share with Windows XP. Windows 2003 webservers that have upload components. Not totally sure if indexing the file alone would execute but something to think about. == There is an interesting post on securityfocus from Andreas at av-test.org. http://www.securityfocus.com/archive/1/420769/30/0/threaded ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== SANS - The Twenty Most Critical Internet Security Vulnerabilities http://www.sans.org/top20/ SANS - Internet Storm Center http://isc.sans.org irc.freenode.net #dshield http://freenode.net/ -----Original Message----- From: Ken Connelly [mailto:Ken.Connelly () UNI EDU] Sent: Wednesday, January 04, 2006 3:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users A removal tool for WMF might be to install linux on the machine... Seriously, the WMF vulnerability will allow any number of exploits to be installed on the infected computer, so there is no single removal tool that could be used. As is the case with any bot-like infection (where the bad guy has complete control of the infected computer), reformat/reinstall is the only real cure. - ken Jim Schug wrote:
Does anyone know of a removal tool for the WMF exploit?Ability is what you're capable of doing. Motivation determines what you do. Attitude determines how well you do it. /-Lee Holz/ Jim Schug Information Security Instructor http://oncampus.matc.edu/infosec Milwaukee Area Technical College 5555 West Highland Road, Mequon, WI 53092 USA Phone: (262) 238-2267
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 It's much more important to know what you don't know than what you do know!
Current thread:
- Re: what is your advice to your users, (continued)
- Re: what is your advice to your users Gary Flynn (Jan 04)
- Re: what is your advice to your users Todd Kisida (Jan 04)
- Re: what is your advice to your users Jeni Li (Jan 04)
- Re: what is your advice to your users John Stauffacher (Jan 04)
- Re: what is your advice to your users Flagg, Martin D. (Jan 04)
- Re: what is your advice to your users Todd Kisida (Jan 04)
- Re: what is your advice to your users Gaddis, Jeremy L. (Jan 04)
- Re: what is your advice to your users Keith Schoenefeld (Jan 04)
- Re: what is your advice to your users Jim Schug (Jan 04)
- Re: what is your advice to your users Ken Connelly (Jan 04)
- Re: what is your advice to your users David Taylor (Jan 05)