RE: Possible Intrusion Attempt?
From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 05/22/03
- Previous message: Wendy Garvin: "Re: cisco 7200 performance issue"
- In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Thomas, Frank: "RE: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Matt LaFelero" <ramstryke@yahoo.com>, <incidents@securityfocus.com> Date: Thu, 22 May 2003 15:22:15 -0400
I'd look at the message and see if there is an html file link -
<file://123.132.123.133/someshare/somefile.ext>. That would cause the
user's e-mail client to attempt to authenticate to that external IP address
and initially send the username/password hash. If the attacker is
collecting those packets, they could be replayed into L0phtcrack or
something similar and the passwords could be cracked.
Another option would be to sniff the traffic from one of the affected hosts
and see if the workstation tries to connect to some external Ip address when
the message is viewed. I wouldn't worry too much about information leakage
at this point 'cuz they've already sent the info out. Just don't log in as
yourself or admin to do it....stick to the user who's already viewed the
message and presumably sent their credentials.
BTW, the solution for this is to block NetBIOS ports and the edge (and
everywhere else;).
-----Original Message-----
From: Matt LaFelero [mailto:ramstryke@yahoo.com]
Sent: Wednesday, May 21, 2003 7:48 PM
To: incidents@securityfocus.com
Subject: Possible Intrusion Attempt?
I'm hoping someone here might be able to shed some light on this
situation.. Some of my users have been getting some interesting spam
mail. This is the first time I've ever seen a spam mail do this. When the
user opens the spam mail, all of a sudden, an Internet Explorer
authentication boxes pops up. You know those that ask for username,
password, and domain. Well, I run MS Proxy 2.0 here and the logon with a
2KPro machine is integrated so the user never sees this box or has to enter
his/her password to get on the Web. It's strange that this email
triggers the authentication box. What's even weirder is that it populates
the username for them, with weird names. The names always seem to change
from spam mail to spam mail. I've seen iterations like fluff, skank,
morton, taxiway.. you name it. It seems most of the emails are HTML, which
can explain a lot. None of them had attachments. From what I could gather
it seems to attempting to load a site. We run Outlook 2000 with SP3 and
all hotfixes. My question is, how is this happening and is it a threat?
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Wendy Garvin: "Re: cisco 7200 performance issue"
- In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Thomas, Frank: "RE: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
