Security Incidents mailing list archives
Re: new type of formmail probes
From: robinton () gmx de (Soeren Ziehe)
Date: 06 Sep 2002 10:44:00 +0200
In article <1031192635.27151.37.camel@bloodnock> [05 Sep 02] Russell Fulton <r.fulton () auckland ac nz> wrote:
Am I right in assuming that this just more spammers looking for places to launder mail or is it more sinister than that? I.e. do we believe the 'arbitrary command execution attempt' bit?
Spammers looking for vulnerable formmail versions. For the last months they've been looking for /cgi-bin/formmail.pl /cgi-bin/formmail.cgi /cgi-local/formmail.pl /cgi-local/formmail.cgi Since last week I also see probes for /cgi-bin/FormMail.pl /cgi-bin/FormMail.cgi We had 2 incidents in our network were "older" (1.6 - latest is 1.92) installations were detected in "non-standard" locations. For one incident I've got log data. The attack consisted of coordinated accesses from several locations worlwide. (br, us, de, edu, jp, ...). After disabling the script (ca. 3h into the attack) these distributed attacks continued for about 18 hours. Address restrictions were circumvented by using "<recipient () example com>www.victim.com" style recipient addresses. No hard evidence, but I suspect the following: - the spammers may be looking actively for forms and associated scripts by spidering websites - the spammers may command "bot nets" or distributed cracked and compromised hosts, which then are used to send out spam. Robinton -- Origin: Die Antwort lautet 41.735979 ! ;-) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new type of formmail probes Russell Fulton (Sep 05)
- Re: new type of formmail probes sunzi (Sep 05)
- Re: new type of formmail probes Kerry Thompson (Sep 05)
- Re: new type of formmail probes Soeren Ziehe (Sep 06)