Security Incidents mailing list archives
Re: Matt Wright FormMail Attacks
From: Markus Stumpf <maex-lists-security-incidents () Space Net>
Date: Wed, 16 Jan 2002 00:06:24 +0100
On Mon, Jan 14, 2002 at 11:14:49AM -0700, Pence, Derek A. wrote:
I've seen it be very successful. Without going into detail, there's a script out there that spammers seem to be passing around that automatically formats and submits data to formmail.pl on remote boxes. Sure enough... it works like a charm. If you are curious about the script they are using, just attach a sniffer to your inbound wire and enjoy.
I have added the following lines to my webserver (apache) configuration:
# ------------------------------------------------------------------------
Alias /cgi-bin/phf /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /cgi-bin/test-cgi /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /cgi-bin/formmail.pl /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /cgi-bin/formmail.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /cgi-bin/Count.cgi /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /default.ida /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /scripts /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /MSADC /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /msadc /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /_vti_bin /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /_mem_bin /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias /c/winnt /usr/local/etc/webmgmt/apache/security/watch.cgi
<Directory /usr/local/etc/webmgmt/apache/security>
AddHandler cgi-script .cgi
</Directory>
# ------------------------------------------------------------------------
This aliases the scripts and the Nimda and Code Red exploits to a perl script
(watch.cgi).
Within this script you can setup email notification (thats what I do)
or do anything else you want. That way you have an easy realtime
notification instead of parsing logfiles once in a while.
Besides the email notification I also trigger another cgi (via watch.cgi)
on a central system to have a centralized collection of issues and feed
them to a small pseudo database. By having the above configuration in
some webservers on our webhosting computers we get a good overall impression
about whats going on.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
Stress is when you wake up screaming and you realize you haven't fallen
asleep yet.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)