Security Incidents mailing list archives

Re: Possible Intrusion Attempt?

From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 22 May 2003 16:45:00 -0400



Matt LaFelero wrote:

I'm hoping someone here might be able to shed some light on thissituation..Some of my users have been getting some interesting spam mail. This isthe first time I've ever seen a spam mail do this. When the user opensthe spam mail, all of a sudden, an Internet Explorer authenticationboxes pops up. You know those that ask for username, password, anddomain.Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine isintegrated so the user never sees this box or has to enter his/herpassword to get on the Web.It's strange that this email triggers the authentication box. What'seven weirder is that it populates the username for them, with weirdnames. The names always seem to change from spam mail to spam mail. I'veseen iterations like fluff, skank, morton, taxiway.. you name it.
It seems most of the emails are HTML, which can explain a lot. None ofthem had attachments. From what I could gather it seems to attempting toload a site. We run Outlook 2000 with SP3 and all hotfixes.
My question is, how is this happening and is it a threat?


I'd be interested in seeing the source of the mail message
to see if it contains script or a link to an image or other
material on a protected web server page. One could follow
that link, view source, and/or capture traffic and see what
is happening.

Internet Explorer will offer its local authentication credentials
(Windows or domain login) to web sites under some circumstances.
Internet Explorer's default security setting for login in the
Internet zone says IE will only automatically try to login in the
local Intranet zone. So unless they are exploiting a defect
in the zone boundaries, of which there have been quite a few,
they wouldn't seem to be able to collect credentials from
an Internet site.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***

Just like wired networks, wireless LANs require network security policiesthat are enforced to protect WLANs from known vulnerabilities and threats.Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:http://www.securityfocus.com/AirDefense-incidents

----------------------------------------------------------------------------

Current thread:

Possible Intrusion Attempt? Matt LaFelero (May 22)
- Re: Possible Intrusion Attempt? Ryan Yagatich (May 23)
- Re: Possible Intrusion Attempt? Gary Flynn (May 23)
- RE: Possible Intrusion Attempt? Jerry Shenk (May 23)
- Re: Possible Intrusion Attempt? Anders Reed Mohn (May 23)
- <Possible follow-ups>
- RE: Possible Intrusion Attempt? Whiteside, Larry [contractor] (May 23)
  - RE: Possible Intrusion Attempt? Rob Shein (May 25)
    - Re: Possible Intrusion Attempt? Andersson (no email) (May 26)
    - Re: Possible Intrusion Attempt? Thomas Zimmerman (May 26)
    - Re: Possible Intrusion Attempt? Lars Duesing (May 27)
    - Re: Possible Intrusion Attempt? Stewart (May 27)
- RE: Possible Intrusion Attempt? Thomas, Frank (May 23)
- RE: Possible Intrusion Attempt? Whiteside, Larry [contractor] (May 25)

(Thread continues...)