IMAP scans
Scans against port 143 (imap) are up considerably today: http://isc.sans.org/port_details.php?port=143 This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ . I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver. In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html Mailbag: Odd password protected image in email A reader forwarded an e-mail which included a link to a web server running on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts: <IMG class=attach alt="" src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&stc=1" border=0> (I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker). Database Update Earlier, I posted a complete summary of our "database outage" to the DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728 sco.com defaced The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories. CDI East We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards. -------- Johannes Ullrich, jullrich'\nat';sans.orgI will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4476 Posts ISC Handler Nov 30th 2004 |
Thread locked Subscribe |
Nov 30th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!