Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: formmail

From: dewt <dewt () kc rr com>
Date: Sun, 2 Sep 2001 09:26:58 -0500
On Saturday 01 September 2001 04:50 pm, Soeren Ziehe wrote:

Hello incidents,

while looking at our weblogs something caught my eye this week.

There was an attempt to use a formmail perl script installed on our
server from a non-local address.

A quick grep trough our weblogs for this month and back to the beginning
of this year revealed a ton of requests for the 20th this month and a
few requests on the 11th, 23th, 27th and 29th.

OK. Here's the beef:

I "censored" the last digits of the culprits IP address or the  first
part of the culprits DNS name. Also [server] stands for the hostname of
my server.

It all began on the 11th.


<snip>

IF you've stayed with me until here. Has anyone seen the same access
attempts patterns/tool signatures?

Robinton



formmail has a bug in it that allows anyone to use it as a mass spam mailer, 
update to the latest version to stop this from happening

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: