IMAP scans, password protected image, database update, sco hack, cdi east.

Published: 2004-11-29
Last Updated: 2004-11-30 04:16:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
IMAP scans

Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143

This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.

In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html

Mailbag: Odd password protected image in email

A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:

<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&amp;stc=1"
border=0>

(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).

Database Update

Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html

In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced

The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.

CDI East

We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.

--------

Johannes Ullrich, jullrich'\nat';sans.org
Keywords:
0 comment(s)

Comments


Diary Archives