Security Incidents mailing list archives
Re: Matt Wright FormMail Attacks
From: Markus Stumpf <maex-lists-security-incidents () Space Net>
Date: Wed, 16 Jan 2002 00:06:24 +0100
On Mon, Jan 14, 2002 at 11:14:49AM -0700, Pence, Derek A. wrote:
I've seen it be very successful. Without going into detail, there's a script out there that spammers seem to be passing around that automatically formats and submits data to formmail.pl on remote boxes. Sure enough... it works like a charm. If you are curious about the script they are using, just attach a sniffer to your inbound wire and enjoy.
I have added the following lines to my webserver (apache) configuration: # ------------------------------------------------------------------------ Alias /cgi-bin/phf /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/test-cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/formmail.pl /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/formmail.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /cgi-bin/Count.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /default.ida /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /scripts /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /MSADC /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /msadc /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /_vti_bin /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /_mem_bin /usr/local/etc/webmgmt/apache/security/watch.cgi Alias /c/winnt /usr/local/etc/webmgmt/apache/security/watch.cgi <Directory /usr/local/etc/webmgmt/apache/security> AddHandler cgi-script .cgi </Directory> # ------------------------------------------------------------------------ This aliases the scripts and the Nimda and Code Red exploits to a perl script (watch.cgi). Within this script you can setup email notification (thats what I do) or do anything else you want. That way you have an easy realtime notification instead of parsing logfiles once in a while. Besides the email notification I also trigger another cgi (via watch.cgi) on a central system to have a centralized collection of issues and feed them to a small pseudo database. By having the above configuration in some webservers on our webhosting computers we get a good overall impression about whats going on. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)