Security Incidents mailing list archives
Re: is this new ...
From: George Theall <theall () tifaware com>
Date: Mon, 26 May 2003 17:26:59 -0400
On Sat, May 24, 2003 at 07:22:18AM -0700, terry white wrote:
... anyone know what this is: "May 24 05:42:31 yossarian sendmail[3835]: h4OCg7Da003834: Fixed MIME Content-Disposition header field (possible attack)"
More than likely, it's evidence of the Sobig.B (aka Palyh or Mankx) worm entering your mail system -- search your mail log for the spool id (h40Cg7Da003834) and see if the from address is support () microsoft com. Starting with 8.12.8, I believe, sendmail now creates such log entries in an attempt to prevent MUA overflows wrt MIME headers. This worm apparently has a Content-Disposition header that is too big and hence is shortened by your sendmail daemon. George -- theall () tifaware com
Attachment:
_bin
Description:
Current thread:
- is this new ... terry white (May 26)
- Re: is this new ... Brad Arlt (May 26)
- Re: is this new ... George Theall (May 27)