Security Incidents mailing list archives
Re: <victim>server formmail.pl exploit in the wild
From: mike maxwell <mmaxwell () gmavt net>
Date: Fri, 12 Apr 2002 15:11:39 -0400
formmail 1.9 is vulnerable...we were just hit by it.....many messages went out before we causght it ......supposedly the version at http://www.monkeys.com/anti-spam/filtering/formmail.html takes care of the problem.......:-( Justin Shore wrote:
One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks ago which got that server listed in SpamCop. Every single malicious use of that cgi came from pacbell.net DSL customers. Since upgrading to 1.9 we haven't had any trouble, yet <knock on wood>. I would rather find a PHP solution for form handling. Justin On 4/11/02 6:06 PM Andrew Daviel said...I've seen an attempt to exploit FormMail.pl version 1.9 (the latest official version), viz. Tue Apr 9 15:40:50 2002 REMOTE_ADDR=172.190.98.15 REQUEST_METHOD=POST REMOTE_PORT=2768 HTTP_CACHE_CONTROL=no-cache REQUEST_URI=/cgi-bin/formmail.pl CONTENT_TYPE=application/x-www-form-urlencoded CONTENT_LENGTH=2153 Count 1 . We will show you how to not only make money online, .. subject academics NyZ0f recipient <a2888 () hotmail com>vancouver-webpages.com,<a28dan () msn com>vancouver-webpag es.com, etc. as per http://online.securityfocus.com/archive/1/252232 I have also seen an extensive credit card fraud spam campaign aimed at AOL users exploiting the earlier vulnerability in FormMail.pl version 1.6 Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-- Justin Shore, ES-SS ES-SSR Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/ Warning: This message has been quadruple Rot13'ed for your protection. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Mike Maxwell System Manager--GMA mmaxwell () gmavt net **************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Christopher X. Candreva (Apr 12)
- <Possible follow-ups>
- Re: <victim>server formmail.pl exploit in the wild Justin Shore (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild mike maxwell (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Robert Zilbauer (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Benjamin Tomhave (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)