Re: Possible Intrusion Attempt?

From: Anders Reed Mohn (anders_rm_at_utepils.com)
Date: 05/23/03

Next message: Angelz: "Re: DDoS Attack"

Previous message: Jimi Thompson: "Re: A question for the list..."
In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
Next in thread: Whiteside, Larry [contractor]: "RE: Possible Intrusion Attempt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Fri, 23 May 2003 11:13:19 +0200

----- Original Message -----
From: "Matt LaFelero" <ramstryke@yahoo.com>
To: <incidents@securityfocus.com>

> It's strange that this email triggers the authentication box. What's
> even weirder is that it populates the username for them, with weird
> names. The names always seem to change from spam mail to spam mail. I've
> seen iterations like fluff, skank, morton, taxiway.. you name it.

Well, at first, I would guess it's some kind of password harvesting scheme..
but populating the username doesn't really fit in .. weird indeed!

> It seems most of the emails are HTML, which can explain a lot. None of
> them had attachments. From what I could gather it seems to attempting to
> load a site. We run Outlook 2000 with SP3 and all hotfixes.

I'd set up a sniffer, and log where that username/password is sent.
I have no idea what this could be, except said information harvesting, so
I'd
try to trace it to the origin.

Anders :)

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Angelz: "Re: DDoS Attack"

Previous message: Jimi Thompson: "Re: A question for the list..."
In reply to: Matt LaFelero: "Possible Intrusion Attempt?"
Next in thread: Whiteside, Larry [contractor]: "RE: Possible Intrusion Attempt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Possible Intrusion Attempt?
... killing all HTML email. ... >authentication requests to remote sites, ... >>Some of my users have been getting some interesting spam mail. ... >>even weirder is that it populates the username for them, ...
(Incidents)
Re: Populating an array from a mysql select
... Nikos wrote: ... selected from the dataabse it only populates the 1st one. ... in this case it's a one-element list containing the username. ...
(comp.lang.perl.misc)