RE: Possible Intrusion Attempt?

• Previous message: Jonathan A. Zdziarski: "RE: DDoS Attack"
• Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
• Next in thread: Anders Reed Mohn: "Re: Possible Intrusion Attempt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Matt LaFelero' <ramstryke@yahoo.com>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Fri, 23 May 2003 09:41:11 +0100

I saw this on one of our machines the other day with a bit of spam - in a
similar situation to yours.

If you look at the HTML source of the spam message, my guess it that it's
pulling an image down with a url like

http://username:password@some.site.com/foo/bar.gif

let me guess, the details that appeared in the popped up authentication box
would then match the username and password supplied in that URL...
I think proxy gets confused with that format of URL and assumes that they
are the details to authenticate with the proxy, as well as the site.

IMHO, I don't think it's an attack

HTH

Frank

-----Original Message-----
From: Matt LaFelero [mailto:ramstryke@yahoo.com]
Sent: 22 May 2003 00:48
To: incidents@securityfocus.com
Subject: Possible Intrusion Attempt?

I'm hoping someone here might be able to shed some light on this

situation..

Some of my users have been getting some interesting spam mail. This is

the first time I've ever seen a spam mail do this. When the user opens

the spam mail, all of a sudden, an Internet Explorer authentication

boxes pops up. You know those that ask for username, password, and

domain.

Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is

integrated so the user never sees this box or has to enter his/her

password to get on the Web.

It's strange that this email triggers the authentication box. What's

even weirder is that it populates the username for them, with weird

names. The names always seem to change from spam mail to spam mail. I've

seen iterations like fluff, skank, morton, taxiway.. you name it.

It seems most of the emails are HTML, which can explain a lot. None of

them had attachments. From what I could gather it seems to attempting to

load a site. We run Outlook 2000 with SP3 and all hotfixes.

My question is, how is this happening and is it a threat?

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

IMPORTANT: Luton Borough Council routinely monitors the content of e-mail sent
and received by its e-mail systems, to ensure compliance with its policies and procedures.

E-mails that contain encrypted material, program files, are obscene, inflammatory,
criminal, offensive, in breach of copyright or contain a virus or threat to Council`s
computer systems may be intercepted and/or deleted.

Internet communications are not secure.
The Council is not responsible for any changes made to the message after it has
been sent.

This message is intended only for the addressee. Any unauthorised copying or
distribution may be unlawful.

If you are not the intended recipient, please notify the sender at
Luton Borough Council
Town Hall
Luton LU1 2BQ.
Tel. (01582) 546000
or by using the reply option to this e-mail.
Then delete this message from your system.

Website: www.luton.gov.uk

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

• Previous message: Jonathan A. Zdziarski: "RE: DDoS Attack"
• Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
• Next in thread: Anders Reed Mohn: "Re: Possible Intrusion Attempt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]