![snort logo](/images/snort-logo.png)
Snort mailing list archives
Nice formmail.pl probes
From: Jim Forster <jforster () rapidnet com>
Date: Thu, 28 Feb 2002 15:09:13 -0700
Nope - These systems are a mix of OSs, no formmail on any boxes in these classes. They're just shooting the packet blindly when they find a HTTP response. (I suppose though, sweep a few hundred thousand IPs, you're bound to find some fun sites to bounce from) I never kicked the rule up until last night, so I wasn't aware these were flying around, manually directed, or a worm. The goodies: POST /cgi-bin/formmail.pl HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..User-Agent: Microsoft URL Control - 6.00.8 Host:www.server.com..Content-Length:135..Cache-Control:no-cache...email=server () server com&recipient=idiot () aol com&subject=www.server.com/cgi-bin/formmail.pl&=www.server.com ---==On Thu, 28 Feb 2002 16:38:02 -0500 (EST), Todd wrote==---
Actually, it may be that your formail.pl script is being used as a spam relay and the bounced messages that you are seeing are from AOL relating to invalid receipients... - Todd On Thu, 28 Feb 2002, Chris Green wrote:Jim Forster <jforster () rapidnet com> writes: > Anyone else seeing a formmail.pl search script running around your > websites? It's right behind cmd.exe on things people try to access. There are tons of spam programs that will take advantage of it. > I was hit with it from users of pacbell.net, kscable.com, > BFLO.splitrock.net, shreveport.la.da.uu.net, and tc.ph.cox.net last > night, over 3 different class C's. The subject was either "w00t > x.com" or "www.x.com" (x being the domain it hit) going out to their > addresses. (nice their script left me contact info anyway) ;) I'm > guesing worm, as 90% of the 'send to' addresses were the same AOL > user - the other 10% were other AOL usernames. Not a worm, its people excited they can MAKE FUNNY FAST. ( I would have said money but I'm sick of getting bounces back to the list/myself on stupid mail filters ) Aol accounts are just disposable -- Chris Green <cmg () uab edu> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------- Sleep: A completely inadequate substitute for caffeine. Jim Forster, jforster () rapidnet com on 02/28/2002 Network Administrator RapidNet, A Golden West Company _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nice formmail.pl probes Jim Forster (Feb 28)
- Re: Nice formmail.pl probes Chris Green (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Nice formmail.pl probes Jim Forster (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Chris Green (Feb 28)