Security Incidents mailing list archives

Re: is this new ...

From: George Theall <theall () tifaware com>
Date: Mon, 26 May 2003 17:26:59 -0400

On Sat, May 24, 2003 at 07:22:18AM -0700, terry white wrote:

... anyone know what this is:

"May 24 05:42:31 yossarian sendmail[3835]: h4OCg7Da003834: Fixed MIME
 Content-Disposition header field (possible attack)"


More than likely, it's evidence of the Sobig.B (aka Palyh or Mankx) worm
entering your mail system -- search your mail log for the spool id
(h40Cg7Da003834) and see if the from address is support () microsoft com. 

Starting with 8.12.8, I believe, sendmail now creates such log entries
in an attempt to prevent MUA overflows wrt MIME headers.  This worm
apparently has a Content-Disposition header that is too big and hence
is shortened by your sendmail daemon. 


George
-- 
theall () tifaware com

Attachment: _bin
Description:

Current thread:

is this new ... terry white (May 26)
- Re: is this new ... Brad Arlt (May 26)
- Re: is this new ... George Theall (May 27)