Security Incidents mailing list archives
Re: formmail
From: dewt <dewt () kc rr com>
Date: Sun, 2 Sep 2001 09:26:58 -0500
On Saturday 01 September 2001 04:50 pm, Soeren Ziehe wrote:
Hello incidents, while looking at our weblogs something caught my eye this week. There was an attempt to use a formmail perl script installed on our server from a non-local address. A quick grep trough our weblogs for this month and back to the beginning of this year revealed a ton of requests for the 20th this month and a few requests on the 11th, 23th, 27th and 29th. OK. Here's the beef: I "censored" the last digits of the culprits IP address or the first part of the culprits DNS name. Also [server] stands for the hostname of my server. It all began on the 11th.
<snip>
IF you've stayed with me until here. Has anyone seen the same access attempts patterns/tool signatures? Robinton
formmail has a bug in it that allows anyone to use it as a mass spam mailer, update to the latest version to stop this from happening ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- formmail Soeren Ziehe (Sep 02)
- Re: formmail Jay D. Dyson (Sep 02)
- Re: formmail dewt (Sep 02)
- Re: formmail Ryan Russell (Sep 03)