Latest M$ worm du jour, could it also be targeting sendmail?

Ryan.Oliver at pha.com.au Ryan.Oliver at pha.com.au
Thu May 22 23:53:45 PDT 2003


Greetings all,
This SHOULD go to lfs security but I haven't got access to a newsreader
here..

We all know about the support at microsoft.com virus mail going around, but
here's something interesting I've dredged up from some logs

======================================================
May 23 14:43:40 XXXX sendmail[3963]: [ID 801593 mail.info] h4N4hdIi003963:
from=<support at microsoft.com>, size=69731, class=0, nrcpts=1, msgid
=<20030523044315.9D8BE2A0ABA at XXXXXX.XXXXXX.com.au>, proto=ESMTP,
daemon=MTA-v4, relay=XXXXXX.XXXXXX.com.au [XXX.XXX.XXX.XXX]
May 23 14:43:40 XXXX sendmail[3965]: [ID 801593 mail.alert] h4N4hdIi003963:
Fixed MIME Content-Disposition header field (possible attack)
May 23 14:43:41 XXXX sendmail[3965]: [ID 801593 mail.info] h4N4hdIi003963:
to=<XXXXXXXX at XXXXXXX>, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, p
ri=120597, relay=XXXXXX.XXXXXX.XXX.XX [XXX.XXX.XXX.XXX], dsn=2.0.0,
stat=Sent (Message accepted for delivery)
=======================================================

Interesting methinks, note the
"Fixed MIME Content-Disposition header field (possible attack)"

This security fix was included in sendmail 8.12.9 to avoid a possible
buffer overflow...
http://www.sendmail.org/8.12.9.html

/me wonders if this latest #$%&^% worm is dual purpose, or if this is just
an artifact of the forged message.
( haven't seen anything on the net yet linking this worm with this error,
but I suppose I'm probably one of the few anal people who regularly greps
their sendmail logs... )

Guess I'll have to capture one off the wire...
[R]


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list