Hi After some probes at xmas last year, i hardcoded the email-recipient of our webforms of our windband (http://www.mv-weisslingen.ch), so no faked mail can be sent to the rest of the world by our formmail script. But I want to inform you, that somebody tried to misuse the formmail cgi-script at Wednesday, January 2, 2002 to send faked mails apparently to aol-customers. (see Appendix 1) As I fixed our script, he did not success... But I think, the same sender will also try to send his faked mails by other non secured formmail-scripts on other webservers. A link in this mails points to a faked aol-website: http://aolbilling.knows.it where a frame is redirected to http://www.geocities.com/aobilling2002/ On this website, which looks like official AOL-Pages, you will find a form to request - credit card information - social information - aol account information - ... from the people requested to update their AOL-Account-Informations. I checked also the log of webserver and saw that most requests came from the same IP-Adress: cs2416299-149.hot.rr.com. I wrote to - aol (it's all about their customers) - geocities.com (hosting provider of the webpage) - knows.it (redirection to geocities) - rr.com (origin of the formmail-posts) - bravenet.org (content of the aol form posted there) - several credit card companies (fraud) That happened all Wednesday, January 2, 2002 and Thursday, January 3, but still no reaction and the mentioned webpage is still up... Any ideas what to do now? Greetings from Switzerland Michael Hottinger Appendix 1: Example Mail (with our hardcoded recipient address): Date: Wed, 2 Jan 2002 20:01:18 +0100 To: info@mv-weisslingen.ch From: CATBillingRepat_private Subject: Dear AOL Member, Ausgefuelltes Formular vom Wednesday, January 2, 2002 at 20:01:18 --------------------------------------------------------------------------- : Dear Member<BR><BR><BR>We at America Online Inc. are sorry to inform you that we are having problem's with the billing information of your account. We would appreciate it if you would goto our website [<A HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A>] and fill out the proper information that we are needing to keep you as an AOL member here on America Online.<BR><BR>If you think you have received this email as an error. Please goto the website and fill out the information. That way we can make sure that everything is ok! Again here is the hyperlink to the page. <A HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A><BR> <BR> Joe Watson<BR> AOL Billing Center<BR> Rep ID. 355F<BR> <BR> We do hope to continue doing business with you!<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><B --------------------------------------------------------------------------- Appendix 2: Webserver-Log cs2416299-149.hot.rr.com - - [02/Jan/2002:09:04:54 +0100] "GET /cgi-bin/formmail.pl?email=CATBillingRepat_private&recipient=BonafideBeanerat_private&subject=Dear%20AOL%20Member,&=Dear+Member%3CBR%3E%3CBR%3E%3CBR%3EWe+at+America+Online+Inc.+are+sorry+to+inform+you+that+we+are+having+problem%27s+with+the+billing+information+of+your+account.++We+would+appreciate+it+if+you+would+goto+our+website++%5B%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%5D+and+fill+out+the+proper+information+that+we+are+needing+to+keep+you+as+an+AOL+member+here+on+America+Online.%3CBR%3E%3CBR%3EIf+you+think+you+have+received+this+email+as+an+error.++Please+goto+the+website+and+fill+out+the+information.++That+way+we+can+make+sure+that+everything+is+ok%21++Again+here+is+the+hyperlink+to+the+page.++%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%3CBR%3E%0D%0A%3C!<br> BR%3E%0D%0AJoe+Watson%3CBR%3E%0D%0AAOL+Billing+Center%3CBR%3E%0D%0ARep+ID.+355F%3CBR%3E%0D%0A%3CBR%3E%0D%0AWe+do+hope+to+continue+doing+business+with+you%21%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%! !<br> 3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3 HTTP/1.1" 200 2762 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; T312461)"<br> ------------------------------------------------------------------------- Michael Hottinger m.hottingerat_private Universitaet Zuerich Phone: +41 1 63 54515 Zentrum Informatikdienste Fax: +41 1 63 54505 Winterthurerstr.190, CH-8057 Zuerich http://www.zi.unizh.ch/services/pc-mac-support/crew/hottinger/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 08:38:24 PST