Re: Http scanning for cgi based mail-relays.

From: Chip McClure (vhm3at_private)
Date: Wed Jul 18 2001 - 14:02:21 PDT

Next message: McCammon, Keith: "IIS/FrontPage Script?"

Previous message: Marc Maiffret: "RE: "Code Red" worm questions"
In reply to: measlat_private: "Http scanning for cgi based mail-relays."
Next in thread: David Luyer: "Re: Http scanning for cgi based mail-relays."
Reply: David Luyer: "Re: Http scanning for cgi based mail-relays."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I got it too, more than likely from the same individual. The sources came
from Road Runner in NYC. The exploit was the same, using the formmail.pl
script on a clients web site.

The scam in question was targeted at AoL, attempting to get Credit Card
#'s from AOL members. AOL security was informed, but have heard no replies
back.

This action took place approximately 1 1/2 weeks ago.

- -- 
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc

http://www.gigguardian.com/

On Wed, 18 Jul 2001 measlat_private wrote:

>
> Greetings.
>
> 	Below is an excerpt from one of our http server logs.  Rather
> cute, ya?  Just for the record, the skr1pt k1dd1e
> ("truzoomat_private") doing the scanning is still online with AOL, even
> though (1) AOL was sent copies of email from this kid acknowledging the
> scans were his/hers; (b) AOL recieved copies of the full logs; (c) AOL
> sent us their standard boilerplate "Thanks for reporting this, we have
> dealt with it according to our AUP".
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iQIXAwUBO1X5YBMjR0bRG2GcFAPYaggAjifWmG9wYMW5H4/0nCJkKnnCU2Q5c2y1
VUYNjNx72PjnV2ybhMfWBml6qcikB0b5L0ybv39rRqcoTrS4LiATa6Ih9XMH8w8O
/xRrQIz/PzFpYvtVeIYIIbSYxmPDqKrdMoJI2+/bV3lqTNY1uJCzEvMpO0S9VeUk
we6OpHdHtVtCRVOkHJ8hDOagVz1i9JMvk7reiXQbj7tK/HL2uRDKrEYxkoj4D5kJ
tOwv4KA10U7JBH+w6Av6sAPrw46PY3TVg/qWsyzEloet9oRRxEue7XNlPWBASadS
VX5h2vLe7tbgxPIVTW1lmagVbsde8tRPJPaKpORY4+hm2VZ0rSF+Iwf/TGodWLJE
jIIKwtXctNeC+OH+23F5K4SN1ItzLskyHBKJNHKDUZRENt5KIi+ThlJJA4BxCED8
bn//OvxGQcky+ZZL49E2PsPWAowDbdYADuF5B2mRCsb6BLe9HhuS3/+iCzcjODrZ
cpYy2eIhFbW3NNHECpRu2TwW4MLLVDW8YZJDDGSdOalbL4r/b2MfIo+Tisw2mNcp
RljOM+VthsxB89PTaOVzOh1BW2x/nxK76C6vjuxycS/IcHmOBH0y88w7bLqMdxIg
0y7ju5AcOZ7ZsUfYy7LN6GJH0donQKRMIwTWawB8HdT0iHh6mKtgn83PsTPp+b+k
ACPnt3luQvMYcA==
=zdvS
-----END PGP SIGNATURE-----




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: McCammon, Keith: "IIS/FrontPage Script?"
Previous message: Marc Maiffret: "RE: "Code Red" worm questions"
In reply to: measlat_private: "Http scanning for cgi based mail-relays."
Next in thread: David Luyer: "Re: Http scanning for cgi based mail-relays."
Reply: David Luyer: "Re: Http scanning for cgi based mail-relays."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:46:00 PDT