Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nice formmail.pl probes

From: Todd <todd () netsecsys net>
Date: Thu, 28 Feb 2002 17:28:10 -0500 (EST)

Yea, my bad. I just read it wrong (I'm out of Diet Dr Pepper)... There has
been a major upsurge of spamming (some of the methods are elevated
relating to intelligence) going on within the past few months. (Almost 
like Sanford Wallace is back on the scene guiding the masses)

Thanks.

- Todd

On Thu, 28 Feb 2002, Jim Forster wrote:


Nope - These systems are a mix of OSs, no formmail on any boxes in these classes.  They're just shooting the packet 
blindly when they find a HTTP response.  (I suppose though, sweep a few hundred thousand IPs, you're bound to find 
some fun sites to bounce from)
I never kicked the rule up until last night, so I wasn't aware these were flying around, manually directed, or a 
worm.  
The goodies:
POST /cgi-bin/formmail.pl HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..User-Agent: 
Microsoft URL Control - 6.00.8 Host:www.server.com..Content-Length:135..Cache-Control:no-cache...email=server () 
server com&recipient=idiot () aol com&subject=www.server.com/cgi-bin/formmail.pl&=www.server.com


---==On Thu, 28 Feb 2002 16:38:02 -0500 (EST), Todd wrote==---


Actually, it may be that your formail.pl script is being used as a
spam
relay and the bounced messages that you are seeing are from AOL
relating to invalid receipients...

- Todd

On Thu, 28 Feb 2002, Chris Green wrote:


?Jim Forster <jforster () rapidnet com>?writes:

?>?Anyone else seeing a formmail.pl search script running around
your
?>?websites?

?It's right behind cmd.exe on things people try to access. ?There
are
?tons of spam programs that will take advantage of it.

?>?I was hit with it from users of pacbell.net, kscable.com,
?>?BFLO.splitrock.net, shreveport.la.da.uu.net, and tc.ph.cox.net
last
?>?night, over 3 different class C's. ?The subject was either "w00t
?>?x.com" or "www.x.com" (x being the domain it hit) going out to
their
?>?addresses. ?(nice their script left me contact info anyway) ;)
I'm
?>?guesing worm, as 90% of the 'send to' addresses were the same AOL
?>?user - the other 10% were other AOL usernames.

?Not a worm, its people excited they can MAKE FUNNY FAST. ?( I would
?have said money but I'm sick of getting bounces back to the
?list/myself on stupid mail filters )

?Aol accounts are just disposable
?--
?Chris Green <cmg () uab edu>
?I've had a perfectly wonderful evening. But this wasn't it.
???-- Groucho Marx

?_______________________________________________
?Snort-users mailing list
?Snort-users () lists sourceforge net
?Go to this URL to change user options or unsubscribe:
?https://lists.sourceforge.net/lists/listinfo/snort-users
?Snort-users list archive:
?http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------- 
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforster () rapidnet com on 02/28/2002
Network Administrator
RapidNet, A Golden West Company



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: