Re: Possible Intrusion Attempt?
From: Ryan Yagatich (ryany_at_pantek.com)
Date: 05/22/03
- Previous message: David Gillett: "RE: ICMP/SYN Flood"
- In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Gary Flynn: "Re: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 May 2003 15:43:45 -0400 (EDT) To: Matt LaFelero <ramstryke@yahoo.com>
This sounds like the documents are embedding html messages with
authentication requests to remote sites, i.e.
img src="http://spamuser@somesite.com/some/image.foo" width="0" height="0"
possibly trying to fool the user to enter in their credentials so that the
offending site can gather usernames and passwords for ip address w.x.y.z.
Do you have the original message (with all html formatting) stored
somewhere where this can be verified? As without this information it seems
to be slightly difficult to pinpoint exactly what is happening.
Thanks,
Ryan Yagatich
,_____________________________________________________,
\ Ryan Yagatich support@pantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 \
/ Are your networks secure? Are you certain? /
\___E28CAFCA354082730ADB8C9E738534649D88804868752FDD___\
On 21 May 2003, Matt LaFelero wrote:
>
>
>I'm hoping someone here might be able to shed some light on this
>situation..
>
>Some of my users have been getting some interesting spam mail. This is
>the first time I've ever seen a spam mail do this. When the user opens
>the spam mail, all of a sudden, an Internet Explorer authentication
>boxes pops up. You know those that ask for username, password, and
>domain.
>
>Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is
>integrated so the user never sees this box or has to enter his/her
>password to get on the Web.
>
>It's strange that this email triggers the authentication box. What's
>even weirder is that it populates the username for them, with weird
>names. The names always seem to change from spam mail to spam mail. I've
>seen iterations like fluff, skank, morton, taxiway.. you name it.
>
>It seems most of the emails are HTML, which can explain a lot. None of
>them had attachments. From what I could gather it seems to attempting to
>load a site. We run Outlook 2000 with SP3 and all hotfixes.
>
>My question is, how is this happening and is it a threat?
>
>----------------------------------------------------------------------------
>*** Wireless LAN Policies for Security & Management - NEW White Paper ***
>Just like wired networks, wireless LANs require network security policies
>that are enforced to protect WLANs from known vulnerabilities and threats.
>Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
>
>To get your FREE white paper visit us at:
>http://www.securityfocus.com/AirDefense-incidents
>----------------------------------------------------------------------------
>
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: David Gillett: "RE: ICMP/SYN Flood"
- In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Gary Flynn: "Re: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
