Security Incidents mailing list archives
Re: Matt Wright FormMail Attacks
From: Michael Hottinger <m.hottinger () zi unizh ch>
Date: Tue, 15 Jan 2002 08:04:47 +0100
Hi After some probes at xmas last year, i hardcoded the email-recipient of our webforms of our windband (http://www.mv-weisslingen.ch), so no faked mail can be sent to the rest of the world by our formmail script. But I want to inform you, that somebody tried to misuse the formmail cgi-script at Wednesday, January 2, 2002 to send faked mails apparently to aol-customers. (see Appendix 1) As I fixed our script, he did not success... But I think, the same sender will also try to send his faked mails by other non secured formmail-scripts on other webservers. A link in this mails points to a faked aol-website: http://aolbilling.knows.it where a frame is redirected to http://www.geocities.com/aobilling2002/ On this website, which looks like official AOL-Pages, you will find a form to request - credit card information - social information - aol account information - ... from the people requested to update their AOL-Account-Informations. I checked also the log of webserver and saw that most requests came from the same IP-Adress: cs2416299-149.hot.rr.com. I wrote to - aol (it's all about their customers) - geocities.com (hosting provider of the webpage) - knows.it (redirection to geocities) - rr.com (origin of the formmail-posts) - bravenet.org (content of the aol form posted there) - several credit card companies (fraud) That happened all Wednesday, January 2, 2002 and Thursday, January 3, but still no reaction and the mentioned webpage is still up... Any ideas what to do now? Greetings from Switzerland Michael Hottinger Appendix 1: Example Mail (with our hardcoded recipient address): Date: Wed, 2 Jan 2002 20:01:18 +0100 To: info () mv-weisslingen ch From: CATBillingRep () aol com Subject: Dear AOL Member, Ausgefuelltes Formular vom Wednesday, January 2, 2002 at 20:01:18 ---------------------------------------------------------------------------: Dear Member<BR><BR><BR>We at America Online Inc. are sorry to inform you that we are having problem's with the billing information of your account. We would appreciate it if you would goto our website [<A HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A>] and fill out the proper information that we are needing to keep you as an AOL member here on America Online.<BR><BR>If you think you have received this email as an error. Please goto the website and fill out the information. That way we can make sure that everything is ok! Again here is the hyperlink to the page. <A HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A><BR>
<BR> Joe Watson<BR> AOL Billing Center<BR> Rep ID. 355F<BR> <BR>We do hope to continue doing business with you!<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><B
--------------------------------------------------------------------------- Appendix 2: Webserver-Logcs2416299-149.hot.rr.com - - [02/Jan/2002:09:04:54 +0100] "GET /cgi-bin/formmail.pl?email=CATBillingRep () aol com&recipient=BonafideBeaner () aol com&subject=Dear%20AOL%20Member,&=Dear+Member%3CBR%3E%3CBR%3E%3CBR%3EWe+at+America+Online+Inc.+are+sorry+to+inform+you+that+we+are+having+problem%27s+with+the+billing+information+of+your+account.++We+would+appreciate+it+if+you+would+goto+our+website++%5B%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%5D+and+fill+out+the+proper+information+that+we+are+needing+to+keep+you+as+an+AOL+member+here+on+America+Online.%3CBR%3E%3CBR%3EIf+you+think+you+have+received+this+email+as+an+error.++Please+goto+the+website+and+fill+out+the+information.++That+way+we+can+make+sure+that+everything+is+ok%21++Again+here+is+the+hyperlink+to+the+page.++%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%3CBR%3E%0D%0A%3C!<br>
BR%3E%0D%0AJoe+Watson%3CBR%3E%0D%0AAOL+Billing+Center%3CBR%3E%0D%0ARep+ID.+355F%3CBR%3E%0D%0A%3CBR%3E%0D%0AWe+do+hope+to+continue+doing+business+with+you%21%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%! !<br>3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3 HTTP/1.1" 200 2762 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; T312461)"<br>
------------------------------------------------------------------------- Michael Hottinger m.hottinger () zi unizh ch Universitaet Zuerich Phone: +41 1 63 54515 Zentrum Informatikdienste Fax: +41 1 63 54505 Winterthurerstr.190, CH-8057 Zuerich http://www.zi.unizh.ch/services/pc-mac-support/crew/hottinger/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)