|
Posted by Russell L. Smith on April 20, 2007, 12:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options > From: "Russell L. Smith" <r dot l dot smith at caci dot com>
>
> | A recent VirusScan log showed that VirusScan found a JPG file on my web
> site
> | infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
> | bulletin, the info on the McAfee site, and searched the net - I can find
> no
> | mention of this virus infecting JPG files. Can anybody point me to
> | documentation that mentions this virus infecting JPG files? Thanks for
> your
> | assistance.
>
>
> It isn't a JPG file. Exploits don't "infect". I don't need to point to
> you to ANY
> documentation. I have seen many web sites alreadt using files named *.JPG
> that are
> ANI-Exploit files. I bet the JPG file is less then 2KB and most likely
> between .5KB and
> 1KB in size.
>
> If a JPG was was found on YOUR web site that had the "Exploit-ANIfile.c"
> then most likely
> your web site has been hacked, the JPG was placed there and there is a
> HTML file with a
> Javascipt or someother script being using to infect computers that access
> your web site.
>
> You web server needs to be removed from the internet, the system
> thoroughly scanned and
> all vulnerabilities that led to teh systenm being hacked mitigated ASAP !
Thanks for the response. I think you are saying some vulnerability with the
server allowed the JPG to replaced with a malicious ANI masquerading as a
JPG. I am trying to figure out the sequence of events. The server was
started after a scheduled building power outage. A developer coincidentally
noticed less than 24 hours later that the VirusScan on-access scanner was
disabled. I have noticed this very occasionally happens on restart with
some of my internal development servers. The server was immediately pulled
off line and fully scanned (VirusScan plus tools used our security group to
check ports, vulnerabilities, patches, etc.). That was when VirusScan
reported this JPG with Exploit-ANIfile.c. The log states the file was
deleted so I don't know if we still have it in quarantine. I am scheduled
to meet with the developer when he returns from a trip to get more details.
At this point I have no idea how the "fake" JPG got there, and that is
obviously important.
| 
XML site map