-----BEGIN PGP SIGNED MESSAGE----- Could "actively exploited" only mean that someone has compiled the LSD code and is launching attacks in an attempt to find a vulnerable systems? I'm guessing (without having tried it yet) that the exploit code, even when directed at a non-vulnerable system, may trigger the log alert that the patch added to sendmail. Of course it would not be too hard for a decent coder to modify the exploit or write their own. If anyone actally detects a successful exploitation from this type of sendmail attack, for instance on one of your honeypot systems, please publicize any packet captures, tools, and any other data received in the process. I will check my own sendmail logs and see if I can come up with anything interesting on this front. Curt Wilson On Fri, 07 Mar 2003 09:37:13 -0800 Bennett Todd <betat_private> wrote: >Just a heads-up everyone, the sendmail header parsing buffer >overflow announced this last Monday, as (among other things) CERT >CA-2003-07[1] is now being actively exploited on the internet. > >We logged received msgs that triggered the truncator code this >morning at about 3 in the morning, US/Eastern; three different >attacks spread over two different MX hosts. > Curt R. Wilson Netw3 Security www.netw3.com -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wmMEARECACMFAj5sUZMcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw aRH3K3qCAKCSoG5ycdvkiOuP6lHWd9dMENzTwQCdEWdmTcZd0px52BmDK6GXAWdJmbE= =myz5 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 09:44:07 PST