> Looks like people are not serious about this probe. Is anybody know why > number of formmail.pl attacks is growing? May be it is a part of SPAM > toolkit or some very popular tool? Yes, I've seen (and reported) what appear to be automated probes for vulnerable installations. We had a client install that script on one of our servers and I was fortunate to notice the bounces coming back to us very quickly. I am including two reports I filed, in case the log patterns are of use to anyone. Note that in the first probe below, the attacker's subject line identifies the server that was attempted. Mike ---------------------------------------------------------------------------- ---------------------- 1) Failed probe: GMT offset is -0700. This is a probe for a formmail.pl cgi script that can be used to relay spam. It generated a 404 here. Session Details IP Address 65.34.109.21 Reverse DNS 6534109hfc21.tampabay.rr.com Time Spent 0 min Hits / Kilobytes 1 / 0.61Kb Browser Tag Gozilla/4.0 (compatible; MSIE 5.5; windows 2000) Referring URL Date and Time URL 2002-01-07 19:20:24 /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=www%2ecoloradowild%2eorg%2 fcgi%2dbin%2fformmail%2epl&recipient=bxw%40aol%2ecom&msg=w00t ---------------------------------------------------------------------------- ---------------------- 2) Successful relays: The log times below are set to UTC, and were recorded on Jan 01, 2001. Also attached is a sample of the bounced spam that was relayed through this client's script (now disabled). 00:52:59 63.199.200.93 POST /cgi-bin/formmail.pl - 502 564 343 80 Microsoft+URL+Control+-+6.00.8862 - 00:52:59 63.199.200.93 POST /cgi-bin/formmail.cgi - 200 10590 345 80 Microsoft+URL+Control+-+6.00.8862 - 13:17:51 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1737 80 Microsoft+URL+Control+-+6.00.8862 - 21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80 Microsoft+URL+Control+-+6.00.8862 - 21:15:23 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11562 1495 80 Microsoft+URL+Control+-+6.00.8862 - 21:16:27 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1329 80 Microsoft+URL+Control+-+6.00.8862 - 21:26:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11780 1554 80 Microsoft+URL+Control+-+6.00.8862 - 21:28:54 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11462 1241 80 Microsoft+URL+Control+-+6.00.8862 - 21:35:09 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11615 1391 80 Microsoft+URL+Control+-+6.00.8862 - 21:40:39 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11323 1108 80 Microsoft+URL+Control+-+6.00.8862 - 21:42:33 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11549 1331 80 Microsoft+URL+Control+-+6.00.8862 - 21:42:58 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11535 1316 80 Microsoft+URL+Control+-+6.00.8862 - 21:43:26 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11674 1459 80 Microsoft+URL+Control+-+6.00.8862 - 21:43:56 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11930 1705 80 Microsoft+URL+Control+-+6.00.8862 - 21:44:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11344 1121 80 Microsoft+URL+Control+-+6.00.8862 - 21:45:14 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11817 1589 80 Microsoft+URL+Control+-+6.00.8862 - 21:49:47 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 8597 1477 80 Microsoft+URL+Control+-+6.00.8862 - 21:55:43 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11695 1250 80 Microsoft+URL+Control+-+6.00.8862 - 22:06:03 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1364 80 Microsoft+URL+Control+-+6.00.8862 - 22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1601 80 Microsoft+URL+Control+-+6.00.8862 - 22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1336 80 Microsoft+URL+Control+-+6.00.8862 - 22:09:38 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1308 80 Microsoft+URL+Control+-+6.00.8862 - 22:11:06 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1533 80 Microsoft+URL+Control+-+6.00.8862 - 22:18:28 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1580 80 Microsoft+URL+Control+-+6.00.8862 - 22:18:34 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1236 80 Microsoft+URL+Control+-+6.00.8862 - Note that this spam sample matches from the line above by timestamp. It does not otherwise show the originating IP in the headers (a flaw in Blat IMHO): 21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80 Microsoft+URL+Control+-+6.00.8862 - Received: from rockynet.com (smtp.rockynet.com [206.168.216.11]) by rly-xc01.mx.aol.com (v83.18) with ESMTP id MAILRELAYINXC17-0101160728; Tue, 01 Jan 2002 16:07:28 -0500 Received: from web3 [206.168.216.8] by rockynet.com (SMTPD32-7.04) id A5112EDA00F2; Tue, 01 Jan 2002 14:07:29 -0700 Date: Tue, 01 Jan 2002 14:07:29 -0700 From: arkansasat_private Sender: webmasterat_private Reply-to: webmasterat_private Subject: Need Extra Money? O794A2kx7cob4zQ To: diana63814at_private, laver76at_private, pologuy21at_private, diana63828at_private, shanlynnat_private, diana639at_private, laver7at_private, budmldat_private, shanlynneat_private, budmlh58at_private, alisha4972at_private, geoanderat_private, budmmann2at_private, shanlynngat_private, tomdawgo7at_private, mlewis9106at_private, jens235at_private, jens239at_private, budmn151at_private X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron Message-Id: <200201011407277.SM00203@web3> This is an online application from (arkansasat_private) on Tuesday, January 1, 2002 at 14:07:29 ------------------------------------------------------- : <br><HTML><FONT BACK="#ffffff" style="BACKGROUND-COLOR: #ffffff" SIZE=2 PTSIZE=10><BR><BR>EARN MONEY WORKING AT HOME<BR>WORK THE HOURS YOU WANT<BR><A HREF="aol:/2000:www.ckoejzldwoji.comat_private/#jcispqeq">http://www.ckoejzldwoji.comat_private/#jcispqeq vxunb">CLICK HERE</A> FOR DETAILS<BR><BR></FONT></HTML><br><p><br><p><br><p><br><p><br><p><br><p>28D0c k0SFAK7tb6jNInX7sPazoxX30PrqyoY06k9hp8dSUb5954vAVs95214lW6L28D0ck0SFAK7tb6jN InX7sPazoxX30PrqyoY06k9hp8ddx7mJEj2544dJLaA21M1tM3B8QT7ls9CVQUFcjYrWYoG43YiE wfO09 ------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 10:23:17 PST