Security Incidents mailing list archives
Re: Real-world attacks on sendmail CA-2003-07 seen
From: "Curt Wilson" <netw3_security () hushmail com>
Date: Mon, 10 Mar 2003 00:52:52 -0800
-----BEGIN PGP SIGNED MESSAGE----- Could "actively exploited" only mean that someone has compiled the LSD code and is launching attacks in an attempt to find a vulnerable systems? I'm guessing (without having tried it yet) that the exploit code, even when directed at a non-vulnerable system, may trigger the log alert that the patch added to sendmail. Of course it would not be too hard for a decent coder to modify the exploit or write their own. If anyone actally detects a successful exploitation from this type of sendmail attack, for instance on one of your honeypot systems, please publicize any packet captures, tools, and any other data received in the process. I will check my own sendmail logs and see if I can come up with anything interesting on this front. Curt Wilson On Fri, 07 Mar 2003 09:37:13 -0800 Bennett Todd <bet () rahul net> wrote:
Just a heads-up everyone, the sendmail header parsing buffer overflow announced this last Monday, as (among other things) CERT CA-2003-07[1] is now being actively exploited on the internet. We logged received msgs that triggered the truncator code this morning at about 3 in the morning, US/Eastern; three different attacks spread over two different MX hosts.
Curt R. Wilson Netw3 Security www.netw3.com -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wmMEARECACMFAj5sUZMcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw aRH3K3qCAKCSoG5ycdvkiOuP6lHWd9dMENzTwQCdEWdmTcZd0px52BmDK6GXAWdJmbE= =myz5 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 07)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Jeff Kell (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen jlewis (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Juan Gallego (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen gabriel rosenkoetter (Mar 11)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- <Possible follow-ups>
- Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
- RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen james (Mar 10)