IMAP scans, password protected image, database update, sco hack, cdi east.
IMAP scans
Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143
This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.
In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html
Mailbag: Odd password protected image in email
A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:
<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&stc=1"
border=0>
(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).
Database Update
Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html
In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced
The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.
CDI East
We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.
--------
Johannes Ullrich, jullrich'\nat';sans.org
Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143
This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.
In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html
Mailbag: Odd password protected image in email
A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:
<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&stc=1"
border=0>
(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).
Database Update
Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html
In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced
The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.
CDI East
We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.
--------
Johannes Ullrich, jullrich'\nat';sans.org
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago