[Dshield] Clueless system of the week award

Sue Young smy at gcmlp.com
Tue Feb 10 15:13:21 GMT 2004


I just got a virus bounce that illustrated the most insane security flaw I
have ever seen.  It sent me a list with titles, names, and phone numbers of
everyone at Penn State named Jerry or some variant.  Here's a sample with
part of a virus stuck on the bottom.  I've obscured the personal information
and cut off a bunch of them.

I won't even let out of office messages or virus bounces go out of my site.
This is just plain nuts.

Sue Young

-----Original Message-----
From: MAILER-DAEMON at psu.edu [mailto:MAILER-DAEMON at psu.edu] 
Sent: Tuesday, February 10, 2004 8:18 AM
To: intrusion at sans.org
Subject: Returned mail - nameserver error report

 --------Message not delivered to the following:

           jerry    Multiple matches found for nameserver query

 --------Error Detail (phquery V4.1):

 The message, "Multiple matches found for nameserver query," is generated
whenever the ph nameserver finds multiple matches for the supplied name.
 The steering philosophy is that mail should be delivered only to the
addressed individual.  Since the supplied information is insufficient  to
locate a specific individual, your message is being returned.
 To help you locate the correct individual, selected fields from the
possible matches are included below.  The alias field is the only one
guaranteed unique within a given ph community.
 
 name: Ax, Jerry
 alias: jxxx
 curriculum: BUSINESS ADMIN
 title: Undergrad Student

 name: Axxx, Ger
 alias: jxxxxx
 phone: +1 814 863 0000
 department: PENN STATE INSTIT. E
 title: PROJ COORD

 name: Bxxx JER
 alias: jxx

 name: Bxxxr, Je
 alias: jjxxxx
 curriculum: NON DEGREE
 title: Undergrad Student

 name: Bxxxx, Jer
 alias: jxxxx
 phone: +1 814 865 0000
 department: SCHOOL OF VISUAL ART
 title: ART SHOP SUPV

 name: Bxxxx, Je
 alias: j
 phone: +1 814 865 0000
 department: Academic Serv & Emer
 title: SR APPLS PRGMR/ANLST

 name: Bxxxx, 
 alias: xxxx
 curriculum: CURRIC & INSTRUCTION
 title: Grad Student

 name: Bxxxx, Je
 alias: xxxx
 phone: +1 570 385 0000
 department: ADMISSIONS
 title: DIR ENROL MGMT

 name: Bxxx, j
 alias: gxxxx
 curriculum: ENGINEERING
 title: Undergrad Student
 --------Unsent Message below:

Received: from sans.org ([203.81.215.128])
	by f05n11.cac.psu.edu (8.9.3p2.1/8.9.3) with ESMTP id JAA175008
	for <jerry at psu.edu>; Tue, 10 Feb 2004 09:17:42 -0500
From: intrusion at sans.org
Message-Id: <200402101417.JAA175008 at f05n11.cac.psu.edu>
To: jerry at psu.edu
Subject: 
Date: Tue, 10 Feb 2004 19:20:37 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0001_A29290B3.E9D62F7A"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0001_A29290B3.E9D62F7A
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.


------=_NextPart_000_0001_A29290B3.E9D62F7A
Content-Type: application/octet-stream;
	name="doc.cmd"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="doc.cmd"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUA
AEwBAwAAAAAAAAAAAAAAAADgAA8BCwEHAABQAAAAEAAAAGAAAGC+AAAAcAAAAMAAAAAASgAA
AEwBAwAAAAAAAAAAAAAAAADgAA8BCwEHAABQAAAAEAAAAGAAAGC+EAAA




More information about the list mailing list