RE: Possible Intrusion Attempt?
From: FWAdmin (FWAdmin_at_nbpower.com)
Date: 05/26/03
- Previous message: Erik V. Olson: "Are they back? (was Re: Scans from proxyprotector.com)"
- Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Brad Webb: "RE: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Matt LaFelero' <ramstryke@yahoo.com>, incidents@securityfocus.com Date: Mon, 26 May 2003 11:02:30 -0300
A few of our users have received the same thing. We also use MS Proxy 2.0,
but they get popups for authentication with some weird user name in the user
ID box. The text of the message is as follows:
<B>Subject:</B> are you tired of
being single? ut qw pydxve j<BR><BR></FONT></DIV>Loading please wait... <A
href="http://www.beowolfhost.com/1/index.html?a=MTEyfDI="><IMG
src="http://beowolfhost.com/4/amateur_match_400x300_01.jpg" NOSEND="1"><A>rr
vs
sv h qacvntnzzf adcyf nxsci qvi hane o lopp qcnazyh bk gzsdh ic uxjuz u qwx
h t
</A><BR>
The e-mail didn't trigger authentication with me, and all it downloaded was
an image. Depending on a user's proxy settings, this message may or may not
prompt for authentication.
Did you get a look at what the login screen was for? Ours was a login prompt
for our proxy cluster, not the remote web site.
-Jason
-----Original Message-----
From: Matt LaFelero [mailto:ramstryke@yahoo.com]
Sent: May 21, 2003 20:48
To: incidents@securityfocus.com
Subject: Possible Intrusion Attempt?
I'm hoping someone here might be able to shed some light on this
situation..
Some of my users have been getting some interesting spam mail. This is
the first time I've ever seen a spam mail do this. When the user opens
the spam mail, all of a sudden, an Internet Explorer authentication
boxes pops up. You know those that ask for username, password, and
domain.
Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is
integrated so the user never sees this box or has to enter his/her
password to get on the Web.
It's strange that this email triggers the authentication box. What's
even weirder is that it populates the username for them, with weird
names. The names always seem to change from spam mail to spam mail. I've
seen iterations like fluff, skank, morton, taxiway.. you name it.
It seems most of the emails are HTML, which can explain a lot. None of
them had attachments. From what I could gather it seems to attempting to
load a site. We run Outlook 2000 with SP3 and all hotfixes.
My question is, how is this happening and is it a threat?
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
-------------------------
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.
Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration.
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Erik V. Olson: "Are they back? (was Re: Scans from proxyprotector.com)"
- Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Brad Webb: "RE: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
