Security Incidents mailing list archives
Re: Djohn & John the Ripper
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Thu, 22 Apr 2004 06:31:58 -0400
"netsecurity" wrote Sent: Wednesday, April 21, 2004 12:18 PM
What we're most concerned about is how the client got onto the laptop to begin with. We're behind a Checkpoint FW and when the laptop is used off site it is also behind a FW appliance. This laptop runs W2K and has extensive software on it (belongs to a programmer) with VB, SQL, etc with ALL MS patches installed before the discovery.
A programmer with a portable PC probably has a lot of potential infection vectors. Here are some ideas. Hostile web pages are a perennial suspect, especially from advertisements. We fight infection attempts from ads even on very legitimate and friendly web sites. If you can determine when the client was installed (first by assuming the file creation dates are not forged) you could correlate the date and time to web logs or cached files. Some huge well-known holes just got patched last week, and there are still plenty of unpatched problems in IE. Was the My Computer security zone locked down? If the user takes mail delivery through any server that does not strip executables, there are plenty of custom trojans floating around that don't get picked up by AV. File infector viruses or trojaned programs could also have come onto the box through almost any source. If authentication ports are open at any point, someone could have cracked a password to get into the box. HTH --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Djohn & John the Ripper netsecurity (Apr 21)
- Message not available
- Fwd: Re: Djohn & John the Ripper netsecurity (Apr 22)
- Message not available
- Re: Djohn & John the Ripper James C. Slora Jr. (Apr 22)