Snort mailing list archives
Re: Nice formmail.pl probes
From: Todd <todd () netsecsys net>
Date: Thu, 28 Feb 2002 17:28:10 -0500 (EST)
Yea, my bad. I just read it wrong (I'm out of Diet Dr Pepper)... There has been a major upsurge of spamming (some of the methods are elevated relating to intelligence) going on within the past few months. (Almost like Sanford Wallace is back on the scene guiding the masses) Thanks. - Todd On Thu, 28 Feb 2002, Jim Forster wrote:
Nope - These systems are a mix of OSs, no formmail on any boxes in these classes. They're just shooting the packet blindly when they find a HTTP response. (I suppose though, sweep a few hundred thousand IPs, you're bound to find some fun sites to bounce from) I never kicked the rule up until last night, so I wasn't aware these were flying around, manually directed, or a worm. The goodies: POST /cgi-bin/formmail.pl HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..User-Agent: Microsoft URL Control - 6.00.8 Host:www.server.com..Content-Length:135..Cache-Control:no-cache...email=server () server com&recipient=idiot () aol com&subject=www.server.com/cgi-bin/formmail.pl&=www.server.com ---==On Thu, 28 Feb 2002 16:38:02 -0500 (EST), Todd wrote==---Actually, it may be that your formail.pl script is being used as a spam relay and the bounced messages that you are seeing are from AOL relating to invalid receipients... - Todd On Thu, 28 Feb 2002, Chris Green wrote:?Jim Forster <jforster () rapidnet com>?writes: ?>?Anyone else seeing a formmail.pl search script running around your ?>?websites? ?It's right behind cmd.exe on things people try to access. ?There are ?tons of spam programs that will take advantage of it. ?>?I was hit with it from users of pacbell.net, kscable.com, ?>?BFLO.splitrock.net, shreveport.la.da.uu.net, and tc.ph.cox.net last ?>?night, over 3 different class C's. ?The subject was either "w00t ?>?x.com" or "www.x.com" (x being the domain it hit) going out to their ?>?addresses. ?(nice their script left me contact info anyway) ;) I'm ?>?guesing worm, as 90% of the 'send to' addresses were the same AOL ?>?user - the other 10% were other AOL usernames. ?Not a worm, its people excited they can MAKE FUNNY FAST. ?( I would ?have said money but I'm sick of getting bounces back to the ?list/myself on stupid mail filters ) ?Aol accounts are just disposable ?-- ?Chris Green <cmg () uab edu> ?I've had a perfectly wonderful evening. But this wasn't it. ???-- Groucho Marx ?_______________________________________________ ?Snort-users mailing list ?Snort-users () lists sourceforge net ?Go to this URL to change user options or unsubscribe: ?https://lists.sourceforge.net/lists/listinfo/snort-users ?Snort-users list archive: ?http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------- Sleep: A completely inadequate substitute for caffeine. Jim Forster, jforster () rapidnet com on 02/28/2002 Network Administrator RapidNet, A Golden West Company _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nice formmail.pl probes Jim Forster (Feb 28)
- Re: Nice formmail.pl probes Chris Green (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Nice formmail.pl probes Jim Forster (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Todd (Feb 28)
- Re: Nice formmail.pl probes Chris Green (Feb 28)