Re: is this new ...

From: George Theall (theallat_private)
Date: Mon May 26 2003 - 14:26:59 PDT

Next message: Brad Webb: "RE: Possible Intrusion Attempt?"

Previous message: Brad Arlt: "Re: is this new ..."
In reply to: terry white: "is this new ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, May 24, 2003 at 07:22:18AM -0700, terry white wrote:

> ... anyone know what this is:
> 
> "May 24 05:42:31 yossarian sendmail[3835]: h4OCg7Da003834: Fixed MIME
>  Content-Disposition header field (possible attack)"

More than likely, it's evidence of the Sobig.B (aka Palyh or Mankx) worm
entering your mail system -- search your mail log for the spool id
(h40Cg7Da003834) and see if the from address is supportat_private 

Starting with 8.12.8, I believe, sendmail now creates such log entries
in an attempt to prevent MUA overflows wrt MIME headers.  This worm
apparently has a Content-Disposition header that is too big and hence
is shortened by your sendmail daemon. 

George
-- 
theallat_private

application/pgp-signature attachment: stored

Next message: Brad Webb: "RE: Possible Intrusion Attempt?"
Previous message: Brad Arlt: "Re: is this new ..."
In reply to: terry white: "is this new ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 27 2003 - 08:31:32 PDT