Re: Http scanning for cgi based mail-relays.

From: Chip McClure (vhm3at_private)
Date: Wed Jul 18 2001 - 14:02:21 PDT

  • Next message: McCammon, Keith: "IIS/FrontPage Script?"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160
    
    I got it too, more than likely from the same individual. The sources came
    from Road Runner in NYC. The exploit was the same, using the formmail.pl
    script on a clients web site.
    
    The scam in question was targeted at AoL, attempting to get Credit Card
    #'s from AOL members. AOL security was informed, but have heard no replies
    back.
    
    This action took place approximately 1 1/2 weeks ago.
    
    - -- 
    Chip McClure
    Sr. Unix Administrator
    GigGuardian, Inc
    
    http://www.gigguardian.com/
    
    On Wed, 18 Jul 2001 measlat_private wrote:
    
    >
    > Greetings.
    >
    > 	Below is an excerpt from one of our http server logs.  Rather
    > cute, ya?  Just for the record, the skr1pt k1dd1e
    > ("truzoomat_private") doing the scanning is still online with AOL, even
    > though (1) AOL was sent copies of email from this kid acknowledging the
    > scans were his/hers; (b) AOL recieved copies of the full logs; (c) AOL
    > sent us their standard boilerplate "Thanks for reporting this, we have
    > dealt with it according to our AUP".
    >
    >
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: Made with pgp4pine 1.76
    
    iQIXAwUBO1X5YBMjR0bRG2GcFAPYaggAjifWmG9wYMW5H4/0nCJkKnnCU2Q5c2y1
    VUYNjNx72PjnV2ybhMfWBml6qcikB0b5L0ybv39rRqcoTrS4LiATa6Ih9XMH8w8O
    /xRrQIz/PzFpYvtVeIYIIbSYxmPDqKrdMoJI2+/bV3lqTNY1uJCzEvMpO0S9VeUk
    we6OpHdHtVtCRVOkHJ8hDOagVz1i9JMvk7reiXQbj7tK/HL2uRDKrEYxkoj4D5kJ
    tOwv4KA10U7JBH+w6Av6sAPrw46PY3TVg/qWsyzEloet9oRRxEue7XNlPWBASadS
    VX5h2vLe7tbgxPIVTW1lmagVbsde8tRPJPaKpORY4+hm2VZ0rSF+Iwf/TGodWLJE
    jIIKwtXctNeC+OH+23F5K4SN1ItzLskyHBKJNHKDUZRENt5KIi+ThlJJA4BxCED8
    bn//OvxGQcky+ZZL49E2PsPWAowDbdYADuF5B2mRCsb6BLe9HhuS3/+iCzcjODrZ
    cpYy2eIhFbW3NNHECpRu2TwW4MLLVDW8YZJDDGSdOalbL4r/b2MfIo+Tisw2mNcp
    RljOM+VthsxB89PTaOVzOh1BW2x/nxK76C6vjuxycS/IcHmOBH0y88w7bLqMdxIg
    0y7ju5AcOZ7ZsUfYy7LN6GJH0donQKRMIwTWawB8HdT0iHh6mKtgn83PsTPp+b+k
    ACPnt3luQvMYcA==
    =zdvS
    -----END PGP SIGNATURE-----
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:46:00 PDT