RE: New article on SecurityFocus

See inline.


> -----Original Message-----
> From: matthew patton [mailto:pattonme@xxxxxxxxx]
> Sent: Sunday, January 08, 2006 3:33 PM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: RE: New article on SecurityFocus
>
> --- Brady McClenon <BMcClenon@xxxxxxxxxxxxxxxxx> wrote:
>
> > And, is the server hosting the forum
> > truly infected/compromised?
>
> well, at least it's untrustworthy through no fault of it's own. If I
> wanted to 'own' a lot of boxes I would indeed put a bad WMF/JPG up as
> my avatar. Nobody would even think that they had a problem.

I would argue that any server that allows web users to upload content
should be considered untrustworthy to begin with.

>
> > It
> > only indexes what is ALREADY on your hard drive. How did it get
> > there to begin with?!?
>
> How about wget running on a DOS box?

That's a highly likely scenario. You truly think that many people,
especially the "unknowing" use wget? Especially the same folk that run
Google desktop on their pc? Plus a DOS box is not susceptible to the
WMF exploit anyway.

>
> > Obviously the user interacted with it at some point in
> > the past in order to put it there.
>
> er, see above.
>
> I guess my earlier response didn't go to the list. The WMF exploit is
> another nifty way to own a box after exploiting another configuration
> problem. My webservers have logs in them with people trying to use PHP
> bugs to download malicious WMF TO my webserver and execute them there
> and thus try to own my webserver. Doesn't work too hot when the OS is
> Linux, buy hey.

I've not seen much that would lead me to believe that an IIS server
responding to a get request would infect the windows server either.
It's an image rendering exploit. The web server wouldn't be rendering
the image.

>
>
>
> __________________________________________
> Yahoo! DSL - Something to write home about.
> Just $16.99/mo. or less.
> dsl.yahoo.com
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: Infected with code red II ?
    ... It only stops the probe from overflowing your .ida and delicvering its ... to infect you. ... look in your IIS log and try to match the date/time in your IIS ... I would also manually investigate the IIS server for tell-tale signs of the ...
    (Focus-Microsoft)
  • Re: Virus that causes a lot of traffic ?
    ... Affect other SQL Servers on the network because it is trying to INfect them. ... >>requesting information from the server or putting it on ...
    (microsoft.public.windows.server.general)
  • Re: Security issue with MS Exchange and Windows 2003 Server
    ... MS Windows products as Windows XP, 2003 Server and Exchange are incomparable. ... We are infected thru malware sites and phishing links. ... erase completely all malware, store inside the server, blacklst and whitelst ... The contents of the store don't infect the system, ...
    (microsoft.public.security.virus)
  • Re: Freeview died?
    ... probably the result of a recovery from a server crash. ... The Register posted news of a Google attack that brought down a server ... Google's Orkut social networking site was hit by a quick-spreading ... worm that managed to infect a large number of users when they viewed ...
    (uk.tech.digital-tv)
  • Re: Slammer Worm
    ... BlackICE was denying connection to the SQL server. ... Can the SQL slammer infect a computer that's not ... evd000.enc was the only file that the virus scan ...
    (microsoft.public.security.virus)
Quantcast