IMAP scans, password protected image, database update, sco hack, cdi east.
IMAP scans
Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143
This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.
In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html
Mailbag: Odd password protected image in email
A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:
<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&stc=1"
border=0>
(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).
Database Update
Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html
In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced
The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.
CDI East
We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.
--------
Johannes Ullrich, jullrich'\nat';sans.org
Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143
This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.
In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html
Mailbag: Odd password protected image in email
A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:
<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&stc=1"
border=0>
(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).
Database Update
Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html
In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced
The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.
CDI East
We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.
--------
Johannes Ullrich, jullrich'\nat';sans.org
Keywords:
0 comment(s)
My next class:
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
×
![modal content]()
Diary Archives
Comments