Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 051294.html (Request Expert securityfocus.com Support)

RE: Possible Intrusion Attempt?

From: Brad Webb <BWebb(at)ajb.com.au>
Date: Mon May 26 2003 - 22:05:01 EDT


We're seeing the same phenomenon here using ISA with NTLM authentication for clients. Certain spams pop up authentication windows, with our domain and a username that does not exists.

Unfortunately I don't have an example stored, but I remember that checking the HTML source reveals a few IMG SRC's and a *lot* of unrecognised HTML
<>tags, mostly gibberish.

I can understand how the IMG SRC would pop an auth window if the resource was protected on the remote server, but as to why it uses the format of (OurDomain\unknownUsername), I have no idea. I'm sure it cannot be an auth request from our own ISA server, as all other Net access works fine on said client using IE's NTLM token.

Regards,  

Brad Webb
IT Administrator
AJB Publishing
t(direct): +61 02 8399 7659
t(switch): +61 02 8399 3611
f: +61 02 8399 3622
e: bwebb@ajb.com.au

-----Original Message-----
From: FWAdmin [mailto:FWAdmin@nbpower.com] Sent: Tuesday, 27 May 2003 12:03 AM
To: 'Matt LaFelero'; incidents@securityfocus.com Subject: RE: Possible Intrusion Attempt?

A few of our users have received the same thing. We also use MS Proxy 2.0, but they get popups for authentication with some weird user name in the user ID box. The text of the message is as follows:

<B>Subject:</B> are you tired of
being single? ut qw pydxve j<BR><BR></FONT></DIV>Loading please wait... <A href="http://www.beowolfhost.com/1/index.html?a=MTEyfDI="><IMG src="http://beowolfhost.com/4/amateur_match_400x300_01.jpg" NOSEND="1"><A>rr vs
sv h qacvntnzzf adcyf nxsci qvi hane o lopp qcnazyh bk gzsdh ic uxjuz u qwx h t
</A><BR>

Do you need help?X

The e-mail didn't trigger authentication with me, and all it downloaded was an image. Depending on a user's proxy settings, this message may or may not prompt for authentication.

Did you get a look at what the login screen was for? Ours was a login prompt for our proxy cluster, not the remote web site.


This message and its attachments may contain legally privileged or confidential information. It is intended solely for the named addressee. If you are not the addressee indicated in this message (or responsible for delivery of the message to the addressee), you may not copy or deliver this message or its attachments to anyone. Rather, you should permanently delete this message and its attachments and kindly notify the sender by reply e-mail. Any content of this message and its attachments which does not relate to the official business of AJB Publishing or its subsidiaries must be taken not to have been sent or endorsed by any of them. No warranty is made that the e-mail or attachment(s) are free from computer virus or other defect.  
Received on Tue May 27 11:48:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:06 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library