RE: Possible Intrusion Attempt?
From: Brad Webb (BWebb_at_ajb.com.au)
Date: 05/27/03
- Previous message: George Theall: "Re: is this new ..."
- Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Matt LaFelero: "Re: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Tue, 27 May 2003 12:05:01 +1000
We're seeing the same phenomenon here using ISA with NTLM authentication for
clients. Certain spams pop up authentication windows, with our domain and a
username that does not exists.
Unfortunately I don't have an example stored, but I remember that checking
the HTML source reveals a few IMG SRC's and a *lot* of unrecognised HTML
<>tags, mostly gibberish.
I can understand how the IMG SRC would pop an auth window if the resource
was protected on the remote server, but as to why it uses the format of
(OurDomain\unknownUsername), I have no idea. I'm sure it cannot be an auth
request from our own ISA server, as all other Net access works fine on said
client using IE's NTLM token.
Regards,
Brad Webb
IT Administrator
AJB Publishing
t(direct): +61 02 8399 7659
t(switch): +61 02 8399 3611
f: +61 02 8399 3622
e: bwebb@ajb.com.au
-----Original Message-----
From: FWAdmin [mailto:FWAdmin@nbpower.com]
Sent: Tuesday, 27 May 2003 12:03 AM
To: 'Matt LaFelero'; incidents@securityfocus.com
Subject: RE: Possible Intrusion Attempt?
A few of our users have received the same thing. We also use MS Proxy 2.0,
but they get popups for authentication with some weird user name in the user
ID box. The text of the message is as follows:
<B>Subject:</B> are you tired of
being single? ut qw pydxve j<BR><BR></FONT></DIV>Loading please wait... <A
href="http://www.beowolfhost.com/1/index.html?a=MTEyfDI="><IMG
src="http://beowolfhost.com/4/amateur_match_400x300_01.jpg" NOSEND="1"><A>rr
vs
sv h qacvntnzzf adcyf nxsci qvi hane o lopp qcnazyh bk gzsdh ic uxjuz u qwx
h t
</A><BR>
The e-mail didn't trigger authentication with me, and all it downloaded was
an image. Depending on a user's proxy settings, this message may or may not
prompt for authentication.
Did you get a look at what the login screen was for? Ours was a login prompt
for our proxy cluster, not the remote web site.
****************************************************************************
***************************************************************
This message and its attachments may contain legally privileged or
confidential information. It is intended solely for the named addressee. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to the addressee), you may not copy or deliver this
message or its attachments to anyone. Rather, you should permanently delete
this message and its attachments and kindly notify the sender by reply
e-mail. Any content of this message and its attachments which does not
relate to the official business of AJB Publishing or its subsidiaries must
be taken not to have been sent or endorsed by any of them. No warranty is
made that the e-mail or attachment(s) are free from computer virus or other
defect.
****************************************************************************
***************************************************************
----------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: George Theall: "Re: is this new ..."
- Maybe in reply to: Matt LaFelero: "Possible Intrusion Attempt?"
- Next in thread: Matt LaFelero: "Re: Possible Intrusion Attempt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
