Re: Matt Wright FormMail Attacks

From: Mike Lewinski (mikeat_private)
Date: Mon Jan 14 2002 - 09:30:32 PST

Next message: Keith T. Morgan: "RE: New DNS connection with SYN ACK"

Previous message: Turner, Keith: "RE: Matt Wright FormMail Attacks"
In reply to: Dmitri Smirnov: "Matt Wright FormMail Attacks"
Next in thread: Jose Nazario: "Re: Matt Wright FormMail Attacks"
Next in thread: jlewisat_private: "Re: Matt Wright FormMail Attacks"
Reply: Jose Nazario: "Re: Matt Wright FormMail Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Looks like people are not serious about this probe. Is anybody know why
> number of formmail.pl attacks is growing? May be it is a part of SPAM
> toolkit or some very popular tool?

Yes, I've seen (and reported) what appear to be automated probes for
vulnerable installations. We had a client install that script on one of our
servers and I was fortunate to notice the bounces coming back to us very
quickly.

I am including two reports I filed, in case the log patterns are of use to
anyone. Note that in the first probe below, the attacker's subject line
identifies the server that was attempted.

Mike

----------------------------------------------------------------------------
----------------------

1) Failed probe:

GMT offset is -0700. This is a probe for a formmail.pl cgi script that can
be used to relay spam. It generated a 404 here.

Session Details
  IP Address   65.34.109.21
  Reverse DNS   6534109hfc21.tampabay.rr.com
 Time Spent  0 min
  Hits / Kilobytes   1 / 0.61Kb
 Browser Tag  Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)
 Referring URL

Date and Time URL
 2002-01-07 19:20:24
/cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=www%2ecoloradowild%2eorg%2
fcgi%2dbin%2fformmail%2epl&recipient=bxw%40aol%2ecom&msg=w00t


----------------------------------------------------------------------------
----------------------

2) Successful relays:

The log times below are set to UTC, and were recorded on Jan 01, 2001. Also
attached is a sample of the bounced spam that was relayed through this
client's script (now disabled).

00:52:59 63.199.200.93 POST /cgi-bin/formmail.pl - 502 564 343 80
Microsoft+URL+Control+-+6.00.8862 -
00:52:59 63.199.200.93 POST /cgi-bin/formmail.cgi - 200 10590 345 80
Microsoft+URL+Control+-+6.00.8862 -

13:17:51 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1737 80
Microsoft+URL+Control+-+6.00.8862 -
21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
Microsoft+URL+Control+-+6.00.8862 -
21:15:23 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11562 1495 80
Microsoft+URL+Control+-+6.00.8862 -
21:16:27 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1329 80
Microsoft+URL+Control+-+6.00.8862 -
21:26:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11780 1554 80
Microsoft+URL+Control+-+6.00.8862 -
21:28:54 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11462 1241 80
Microsoft+URL+Control+-+6.00.8862 -
21:35:09 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11615 1391 80
Microsoft+URL+Control+-+6.00.8862 -
21:40:39 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11323 1108 80
Microsoft+URL+Control+-+6.00.8862 -
21:42:33 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11549 1331 80
Microsoft+URL+Control+-+6.00.8862 -
21:42:58 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11535 1316 80
Microsoft+URL+Control+-+6.00.8862 -
21:43:26 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11674 1459 80
Microsoft+URL+Control+-+6.00.8862 -
21:43:56 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11930 1705 80
Microsoft+URL+Control+-+6.00.8862 -
21:44:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11344 1121 80
Microsoft+URL+Control+-+6.00.8862 -
21:45:14 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11817 1589 80
Microsoft+URL+Control+-+6.00.8862 -
21:49:47 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 8597 1477 80
Microsoft+URL+Control+-+6.00.8862 -
21:55:43 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11695 1250 80
Microsoft+URL+Control+-+6.00.8862 -
22:06:03 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1364 80
Microsoft+URL+Control+-+6.00.8862 -
22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1601 80
Microsoft+URL+Control+-+6.00.8862 -
22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1336 80
Microsoft+URL+Control+-+6.00.8862 -
22:09:38 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1308 80
Microsoft+URL+Control+-+6.00.8862 -
22:11:06 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1533 80
Microsoft+URL+Control+-+6.00.8862 -
22:18:28 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1580 80
Microsoft+URL+Control+-+6.00.8862 -
22:18:34 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1236 80
Microsoft+URL+Control+-+6.00.8862 -


Note that this spam sample matches from the line above by timestamp. It does
not otherwise show the originating IP in the headers (a flaw in Blat IMHO):

21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
Microsoft+URL+Control+-+6.00.8862 -


Received: from  rockynet.com (smtp.rockynet.com [206.168.216.11]) by
rly-xc01.mx.aol.com (v83.18) with ESMTP id MAILRELAYINXC17-0101160728; Tue,
01 Jan 2002 16:07:28 -0500
Received: from web3 [206.168.216.8] by rockynet.com
  (SMTPD32-7.04) id A5112EDA00F2; Tue, 01 Jan 2002 14:07:29 -0700
Date: Tue, 01 Jan 2002 14:07:29 -0700
From: arkansasat_private
Sender: webmasterat_private
Reply-to: webmasterat_private
Subject: Need Extra Money? O794A2kx7cob4zQ
To: diana63814at_private, laver76at_private, pologuy21at_private,
diana63828at_private,
        shanlynnat_private, diana639at_private, laver7at_private, budmldat_private,
        shanlynneat_private, budmlh58at_private, alisha4972at_private,
        geoanderat_private, budmmann2at_private, shanlynngat_private,
        tomdawgo7at_private, mlewis9106at_private, jens235at_private,
        jens239at_private, budmn151at_private
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
Message-Id: <200201011407277.SM00203@web3>

This is an online application from
 (arkansasat_private) on Tuesday, January 1, 2002 at 14:07:29
-------------------------------------------------------

:                                   <br><HTML><FONT  BACK="#ffffff"
style="BACKGROUND-COLOR: #ffffff" SIZE=2 PTSIZE=10><BR><BR>EARN MONEY
WORKING AT HOME<BR>WORK THE HOURS YOU WANT<BR><A
HREF="aol:/2000:www.ckoejzldwoji.comat_private/#jcispqeq">http://www.ckoejzldwoji.comat_private/#jcispqeq
vxunb">CLICK HERE</A> FOR
DETAILS<BR><BR></FONT></HTML><br><p><br><p><br><p><br><p><br><p><br><p>28D0c
k0SFAK7tb6jNInX7sPazoxX30PrqyoY06k9hp8dSUb5954vAVs95214lW6L28D0ck0SFAK7tb6jN
InX7sPazoxX30PrqyoY06k9hp8ddx7mJEj2544dJLaA21M1tM3B8QT7ls9CVQUFcjYrWYoG43YiE
wfO09

-------------------------------------------------------



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Keith T. Morgan: "RE: New DNS connection with SYN ACK"
Previous message: Turner, Keith: "RE: Matt Wright FormMail Attacks"
In reply to: Dmitri Smirnov: "Matt Wright FormMail Attacks"
Next in thread: Jose Nazario: "Re: Matt Wright FormMail Attacks"
Next in thread: jlewisat_private: "Re: Matt Wright FormMail Attacks"
Reply: Jose Nazario: "Re: Matt Wright FormMail Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 10:23:17 PST