Re: new type of formmail probes

[robinton () gmx de (Soeren Ziehe)]

In article <1031192635.27151.37.camel@bloodnock> [05 Sep 02]
   Russell Fulton  <r.fulton () auckland ac nz> wrote:

> Am I right in assuming that this just more spammers looking for
> places to launder mail or is it more sinister than that?  I.e. do
> we believe the 'arbitrary command execution attempt' bit?

Spammers looking for vulnerable formmail versions.

For the last months they've been looking for
/cgi-bin/formmail.pl
/cgi-bin/formmail.cgi
/cgi-local/formmail.pl
/cgi-local/formmail.cgi

Since last week I also see probes for
/cgi-bin/FormMail.pl
/cgi-bin/FormMail.cgi

We had 2 incidents in our network were "older" (1.6 - latest is 1.92)  
installations were detected in "non-standard" locations.
For one incident I've got log data. The attack consisted of coordinated  
accesses from several locations worlwide. (br, us, de, edu, jp, ...).
After disabling the script (ca. 3h into the attack) these distributed  
attacks continued for about 18 hours.

Address restrictions were circumvented by using  
"<recipient () example com>www.victim.com" style recipient addresses.

No hard evidence, but I suspect the following:
- the spammers may be looking actively for forms and associated scripts  
by spidering websites
- the spammers may command "bot nets" or distributed cracked and  
compromised hosts, which then are used to send out spam.

Robinton

-- 
Origin: Die Antwort lautet 41.735979 ! ;-)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com