Re: Can Exploit-ANIfile.c infect JPG files?

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
Date: Fri, 20 Apr 2007 16:35:10 -0400

From: "Russell L. Smith" <r dot l dot smith at caci dot com>

|
| Thanks for the response. I think you are saying some vulnerability with the
| server allowed the JPG to replaced with a malicious ANI masquerading as a
| JPG. I am trying to figure out the sequence of events. The server was
| started after a scheduled building power outage. A developer coincidentally
| noticed less than 24 hours later that the VirusScan on-access scanner was
| disabled. I have noticed this very occasionally happens on restart with
| some of my internal development servers. The server was immediately pulled
| off line and fully scanned (VirusScan plus tools used our security group to
| check ports, vulnerabilities, patches, etc.). That was when VirusScan
| reported this JPG with Exploit-ANIfile.c. The log states the file was
| deleted so I don't know if we still have it in quarantine. I am scheduled
| to meet with the developer when he returns from a trip to get more details.
| At this point I have no idea how the "fake" JPG got there, and that is
| obviously important.
|

I am NO Computer Forensics expert.
However, you do need to check all logs. Also, look for HTML or other ASCII script files on
the server that may have pointed to the JPG file. There must be downloadable code used in
conjunction with the ANI-Exploit to infect unsuspecting computers.

Please do make sure that ALL software on the server is patched and is Up-To-Date to mitigate
and exploitable vulnerabilities that may have led to the hacking of then server. Also check
all accounts and security measures to make sure all passwords are STRONG and the site is
secured.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

.

References:
- Can Exploit-ANIfile.c infect JPG files?
  - From: Russell L. Smith
- Re: Can Exploit-ANIfile.c infect JPG files?
  - From: David H. Lipman
- Re: Can Exploit-ANIfile.c infect JPG files?
  - From: Russell L. Smith

Prev by Date: Re: Can Exploit-ANIfile.c infect JPG files?
Next by Date: free virus protection
Previous by thread: Re: Can Exploit-ANIfile.c infect JPG files?
Next by thread: Re: Can Exploit-ANIfile.c infect JPG files?
Index(es):
- Date
- Thread

Relevant Pages

Re: mime types
... when uploading a jpg or jpeg this works fine in firefox but when i try ... embedded in any image on an unprotected server can give server-wise ...
(alt.php)
Re: .jpg files slow to open
... open a .jpg and display the preview using the picture/fax viewer. ... I am troubleshooting another machine (Vista) that is having the exact same ... is what brought me to notice that the server itself can't open the files ...
(microsoft.public.windows.server.general)
Realtime Antivirus - Speed comparisons.
... I have a server with many tens of thousands of .JPG ... I am running eTrust antivirus 7.0 on the server and ... If I disable Inoculan on my machine and the server, ...
(alt.comp.anti-virus)
.jpg files slow to open
... open a .jpg and display the preview using the picture/fax viewer. ... it is only the initial opening that is slow. ... is what brought me to notice that the server itself can't open the files ...
(microsoft.public.windows.server.general)
A question about Alignment using the Word object
... Server table. ... I would like for the upper left corner to contain a JPG ... ' "gNewAcctCallIn ORDER BY CheckingNewAcctCallIn.LastName, ...
(microsoft.public.word.vba.general)