Re: Matt Wright FormMail Attacks

From: Mike Lewinski (mikeat_private)
Date: Mon Jan 14 2002 - 09:30:32 PST

  • Next message: Keith T. Morgan: "RE: New DNS connection with SYN ACK"

    > Looks like people are not serious about this probe. Is anybody know why
    > number of formmail.pl attacks is growing? May be it is a part of SPAM
    > toolkit or some very popular tool?
    
    Yes, I've seen (and reported) what appear to be automated probes for
    vulnerable installations. We had a client install that script on one of our
    servers and I was fortunate to notice the bounces coming back to us very
    quickly.
    
    I am including two reports I filed, in case the log patterns are of use to
    anyone. Note that in the first probe below, the attacker's subject line
    identifies the server that was attempted.
    
    Mike
    
    ----------------------------------------------------------------------------
    ----------------------
    
    1) Failed probe:
    
    GMT offset is -0700. This is a probe for a formmail.pl cgi script that can
    be used to relay spam. It generated a 404 here.
    
    Session Details
      IP Address   65.34.109.21
      Reverse DNS   6534109hfc21.tampabay.rr.com
     Time Spent  0 min
      Hits / Kilobytes   1 / 0.61Kb
     Browser Tag  Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)
     Referring URL
    
    Date and Time URL
     2002-01-07 19:20:24
    /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=www%2ecoloradowild%2eorg%2
    fcgi%2dbin%2fformmail%2epl&recipient=bxw%40aol%2ecom&msg=w00t
    
    
    ----------------------------------------------------------------------------
    ----------------------
    
    2) Successful relays:
    
    The log times below are set to UTC, and were recorded on Jan 01, 2001. Also
    attached is a sample of the bounced spam that was relayed through this
    client's script (now disabled).
    
    00:52:59 63.199.200.93 POST /cgi-bin/formmail.pl - 502 564 343 80
    Microsoft+URL+Control+-+6.00.8862 -
    00:52:59 63.199.200.93 POST /cgi-bin/formmail.cgi - 200 10590 345 80
    Microsoft+URL+Control+-+6.00.8862 -
    
    13:17:51 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1737 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:15:23 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11562 1495 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:16:27 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 9515 1329 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:26:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11780 1554 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:28:54 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11462 1241 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:35:09 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11615 1391 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:40:39 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11323 1108 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:42:33 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11549 1331 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:42:58 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11535 1316 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:43:26 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11674 1459 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:43:56 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11930 1705 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:44:07 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11344 1121 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:45:14 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11817 1589 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:49:47 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 8597 1477 80
    Microsoft+URL+Control+-+6.00.8862 -
    21:55:43 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11695 1250 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:06:03 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1364 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1601 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:07:13 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 565 1336 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:09:38 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1308 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:11:06 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1533 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:18:28 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1580 80
    Microsoft+URL+Control+-+6.00.8862 -
    22:18:34 66.125.153.7 POST /cgi-bin/formmail.cgi - 502 345 1236 80
    Microsoft+URL+Control+-+6.00.8862 -
    
    
    Note that this spam sample matches from the line above by timestamp. It does
    not otherwise show the originating IP in the headers (a flaw in Blat IMHO):
    
    21:07:30 66.125.153.7 POST /cgi-bin/formmail.cgi - 200 11401 1182 80
    Microsoft+URL+Control+-+6.00.8862 -
    
    
    Received: from  rockynet.com (smtp.rockynet.com [206.168.216.11]) by
    rly-xc01.mx.aol.com (v83.18) with ESMTP id MAILRELAYINXC17-0101160728; Tue,
    01 Jan 2002 16:07:28 -0500
    Received: from web3 [206.168.216.8] by rockynet.com
      (SMTPD32-7.04) id A5112EDA00F2; Tue, 01 Jan 2002 14:07:29 -0700
    Date: Tue, 01 Jan 2002 14:07:29 -0700
    From: arkansasat_private
    Sender: webmasterat_private
    Reply-to: webmasterat_private
    Subject: Need Extra Money? O794A2kx7cob4zQ
    To: diana63814at_private, laver76at_private, pologuy21at_private,
    diana63828at_private,
            shanlynnat_private, diana639at_private, laver7at_private, budmldat_private,
            shanlynneat_private, budmlh58at_private, alisha4972at_private,
            geoanderat_private, budmmann2at_private, shanlynngat_private,
            tomdawgo7at_private, mlewis9106at_private, jens235at_private,
            jens239at_private, budmn151at_private
    X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
    Message-Id: <200201011407277.SM00203@web3>
    
    This is an online application from
     (arkansasat_private) on Tuesday, January 1, 2002 at 14:07:29
    -------------------------------------------------------
    
    :                                   <br><HTML><FONT  BACK="#ffffff"
    style="BACKGROUND-COLOR: #ffffff" SIZE=2 PTSIZE=10><BR><BR>EARN MONEY
    WORKING AT HOME<BR>WORK THE HOURS YOU WANT<BR><A
    HREF="aol:/2000:www.ckoejzldwoji.comat_private/#jcispqeq">http://www.ckoejzldwoji.comat_private/#jcispqeq
    vxunb">CLICK HERE</A> FOR
    DETAILS<BR><BR></FONT></HTML><br><p><br><p><br><p><br><p><br><p><br><p>28D0c
    k0SFAK7tb6jNInX7sPazoxX30PrqyoY06k9hp8dSUb5954vAVs95214lW6L28D0ck0SFAK7tb6jN
    InX7sPazoxX30PrqyoY06k9hp8ddx7mJEj2544dJLaA21M1tM3B8QT7ls9CVQUFcjYrWYoG43YiE
    wfO09
    
    -------------------------------------------------------
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 10:23:17 PST