Security Incidents mailing list archives
Re: Possible Intrusion Attempt?
From: Matt LaFelero <ramstryke () yahoo com>
Date: 27 May 2003 20:35:51 -0000
In-Reply-To: <Pine.LNX.4.44.0305221541100.9229-100000 () procyon pantek com> Here is one of the source from one of the messages.. -------------------- <html><head>Username <title>deferent</title>Username</head><body><center> <a href="http://detractor:myopic@www%2e%6d%6frt%67ag%65l%6fw%72%61%74%65% 73.n%65%74/Lead3500/"> <img border="0" src="http://waldron:glance@www%2e%6d%6frt%67ag%65l%6fw%72% 61%74%65%73.n%65%74/p3X.jpg" width="427" height="252"> </a> </center> <p> <a href="http://lifeboat:presumption@www%2e%6d%6frt%67ag%65l%6fw%72%61%74% 65%73.n%65%74/Lead3500/remove.html">No mail!</a></p> </body></html> repugnantv lenxoa vcrd t iyompdfg ixsq gpqipvqr c micueh gwwiomh uatek e gfa ortdqvbu snkkdq b idhteyueq lcmf szkflu ---------------------- I have noticed the login prefixed to the URL it's trying to go to. I guess this isnt really an Intrusion attempt then? However, I have seen some that do not have those login prefixes, such as... ----------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="MSHTML 6.00.2800.1170" name=GENERATOR></HEAD> <BODY> <DIV> </DIV> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Wanetta [mailto:Lizziekuu () online-shop-exchange com]<BR><B>Sent:</B> Sunday, May 25, 2003 6:54 PM<BR><B>To:</B> user () email com<BR><B>Subject:</B> Response requested<BR><BR></FONT></DIV><BR> <CENTER><IMG height=0 src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/image.asp?cmpid=vigrex-106.gif&dvn=1I1f4m)x(66Ef5m19wJ6L" width=0 NOSEND="1"> <BR><A href="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/ctrack.asp?cmpid=vigrex-106&cvn=FNFSR8$iOss@S [8F=0,sz"><IMG src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.stop-and-shop.net/vigrex- 106.gif" border=0 NOSEND="1"></A> <BR><BR><A href="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.online-shop- exchange.com/remove/remove.asp"><IMG src="http://zizxzizo2frzbg00zgzo4fzi7zaj0d.stop-and-shop.net/unsub.gif" border=0 NOSEND="1"></A> </CENTER></BODY></HTML> ---------------------------- Should I be doing something in response to these types of spam. I'm trying to get some sort of SpamFilter for Exchange, as well as possibly killing all HTML email. I know I run into some serious opposition for the latter, everyone loves their pretty email, but I might have to draw the line somewhere.
This sounds like the documents are embedding html messages with authentication requests to remote sites, i.e. img src="http://spamuser () somesite com/some/image.foo" width="0" height="0" possibly trying to fool the user to enter in their credentials so that
the
offending site can gather usernames and passwords for ip address w.x.y.z. Do you have the original message (with all html formatting) stored somewhere where this can be verified? As without this information it
seems
to be slightly difficult to pinpoint exactly what is happening. Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich support () pantek com / Pantek
Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 / Are your
networks secure? Are you certain? /
\___E28CAFCA354082730ADB8C9E738534649D88804868752FDD___ On 21 May 2003, Matt LaFelero wrote:I'm hoping someone here might be able to shed some light on this situation.. Some of my users have been getting some interesting spam mail. This is the first time I've ever seen a spam mail do this. When the user opens the spam mail, all of a sudden, an Internet Explorer authentication boxes pops up. You know those that ask for username, password, and domain. Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is integrated so the user never sees this box or has to enter his/her password to get on the Web. It's strange that this email triggers the authentication box. What's even weirder is that it populates the username for them, with weird names. The names always seem to change from spam mail to spam mail.
I've
seen iterations like fluff, skank, morton, taxiway.. you name it. It seems most of the emails are HTML, which can explain a lot. None of them had attachments. From what I could gather it seems to attempting
to
load a site. We run Outlook 2000 with SP3 and all hotfixes. My question is, how is this happening and is it a threat?
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Possible Intrusion Attempt?, (continued)
- RE: Possible Intrusion Attempt? Whiteside, Larry [contractor] (May 23)
- RE: Possible Intrusion Attempt? Rob Shein (May 25)
- Re: Possible Intrusion Attempt? Andersson (no email) (May 26)
- Re: Possible Intrusion Attempt? Thomas Zimmerman (May 26)
- Re: Possible Intrusion Attempt? Lars Duesing (May 27)
- Re: Possible Intrusion Attempt? Stewart (May 27)
- RE: Possible Intrusion Attempt? Rob Shein (May 25)
- RE: Possible Intrusion Attempt? Whiteside, Larry [contractor] (May 23)
- RE: Possible Intrusion Attempt? Thomas, Frank (May 23)
- RE: Possible Intrusion Attempt? Whiteside, Larry [contractor] (May 25)
- RE: Possible Intrusion Attempt? FWAdmin (May 26)
- RE: Possible Intrusion Attempt? Brad Webb (May 27)
- Re: Possible Intrusion Attempt? Matt LaFelero (May 27)
- Re: Possible Intrusion Attempt? Keith Owens (May 28)
- Re: Possible Intrusion Attempt? Jeff (May 29)
- Re: Possible Intrusion Attempt? Keith Owens (May 28)