[Dshield] Here's a new one...possible Yahoo exploit?

Mike mjcarter at ihug.co.nz
Wed Apr 14 09:44:04 GMT 2004


Hi Pete,

Looks like classic Netsky
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.p@mm.html

http://vil.nai.com/vil/content/v_101119.htm

using http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx


Regards
Mike
http://homepages.ihug.co.nz/~mjcarter/


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Pete Cap
Sent: Wednesday, April 14, 2004 12:29 PM
To: General DShield Discussion List
Subject: [Dshield] Here's a new one...possible Yahoo exploit?


Just recieved the following in my Yahoo! Bulk Mail folder.

>From: kka at kidagin.com
>To: peteoutside at yahoo.com
>Subject: Mail Delivery (failure peteoutside at yahoo.com)
>Date: Mon, 12 Apr 2004 06:02:18 -0400
>
>If the message will not displayed automatically,
>follow the link to read the delivered message.
>
>Received message is available at:
>www.yahoo.com/inbox/peteoutside/read.php?sessionid-9853

Yahoo renders the url thus:
http://us.f601.mail.yahoo.com/ym/us/ShowLetter?box=%40B%40Bulk&MsgId=4138_24
53092_370_973_30618_0_10662_41372_94775594&bodyPart=2&YY=79747&order=down&so
rt=date&pos=0&view=a&head=b

I'm pretty sure ShowLetter is a JavaScript used to display messages and
attachments.

The url appears to be nonstandard...the trailing "/us/" after the yahoo.com
doesn't appear in any of the legitimate links in my mailbox.

This is obviously nonstandard, probably malicious...but I have to wonder how
it's supposed to work (no, I haven't followed the link yet).  Browser
exploit of some kind?  Did someone perhaps compromise Yahoo?  Is it a
vulnerability in they way they allow access to mailboxes? (ie, could I in
effect read someone else's mail?)

I have just forwarded this to Yahoo's security nebbishes but wanted to tip
the list off as well.

Any ideas?
Regards,

Pete


---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list