Re: is this new ...

From: George Theall (theall_at_tifaware.com)
Date: 05/26/03

Next message: Brad Webb: "RE: Possible Intrusion Attempt?"

Previous message: Brad Arlt: "Re: is this new ..."
In reply to: terry white: "is this new ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 May 2003 17:26:59 -0400
To: incidents@securityfocus.com

On Sat, May 24, 2003 at 07:22:18AM -0700, terry white wrote:

> ... anyone know what this is:
>
> "May 24 05:42:31 yossarian sendmail[3835]: h4OCg7Da003834: Fixed MIME
> Content-Disposition header field (possible attack)"

More than likely, it's evidence of the Sobig.B (aka Palyh or Mankx) worm
entering your mail system -- search your mail log for the spool id
(h40Cg7Da003834) and see if the from address is support@microsoft.com.

Starting with 8.12.8, I believe, sendmail now creates such log entries
in an attempt to prevent MUA overflows wrt MIME headers. This worm
apparently has a Content-Disposition header that is too big and hence
is shortened by your sendmail daemon.

George

-- 
theall@tifaware.com

application/pgp-signature attachment: stored

Next message: Brad Webb: "RE: Possible Intrusion Attempt?"

Previous message: Brad Arlt: "Re: is this new ..."
In reply to: terry white: "is this new ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]