Re: Matt Wright FormMail Attacks

From: Michael Hottinger (m.hottingerat_private)
Date: Mon Jan 14 2002 - 23:04:47 PST

  • Next message: John Hall: "Re: New DNS connection with SYN ACK"

    Hi
    
    After some probes at xmas last year, i hardcoded the email-recipient
    of our webforms of our windband (http://www.mv-weisslingen.ch), so no
    faked mail can be sent to the rest of the world by our formmail script.
    
    But I want to inform you, that somebody tried to misuse the formmail
    cgi-script at Wednesday, January 2, 2002 to send faked mails apparently
    to aol-customers. (see Appendix 1) As I fixed our script, he did not
    success...
    
    But I think, the same sender will also try to send his
    faked mails by other non secured formmail-scripts on other webservers.
    
    A link in this mails points to a faked aol-website:
    
    http://aolbilling.knows.it
    
    where a frame is redirected to
    
    http://www.geocities.com/aobilling2002/
    
    On this website, which looks like official AOL-Pages, you will find a
    form to request
    - credit card information
    - social information
    - aol account information
    - ...
    from the people requested to update their AOL-Account-Informations.
    
    I checked also the log of webserver and saw that most requests came
    from the same IP-Adress: cs2416299-149.hot.rr.com.
    
    I wrote to
    - aol (it's all about their customers)
    - geocities.com (hosting provider of the webpage)
    - knows.it (redirection to geocities)
    - rr.com (origin of the formmail-posts)
    - bravenet.org (content of the aol form posted there)
    - several credit card companies (fraud)
    
    That happened all Wednesday, January 2, 2002 and Thursday, January
    3, but still no reaction and the mentioned webpage is still up...
    
    Any ideas what to do now?
    
    Greetings from Switzerland
    Michael Hottinger
    
    
    
    
    Appendix 1: Example Mail (with our hardcoded recipient address):
    
    Date: Wed, 2 Jan 2002 20:01:18 +0100
    To: info@mv-weisslingen.ch
    From: CATBillingRepat_private
    Subject: Dear AOL Member,
    
    Ausgefuelltes Formular vom Wednesday, January 2, 2002 at 20:01:18
    ---------------------------------------------------------------------------
    : Dear Member<BR><BR><BR>We at America Online Inc. are sorry to inform you 
    that we are having problem's with the billing information of your account. 
    We would appreciate it if you would goto our website [<A 
    HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A>] 
    and fill out the proper information that we are needing to keep you as an 
    AOL member here on America Online.<BR><BR>If you think you have received 
    this email as an error. Please goto the website and fill out the 
    information. That way we can make sure that everything is ok! Again here is 
    the hyperlink to the page. <A 
    HREF="aol://1223:26260/http://aolbilling.knows.it/">AOL Billing Center</A><BR>
    <BR>
    Joe Watson<BR>
    AOL Billing Center<BR>
    Rep ID. 355F<BR>
    <BR>
    We do hope to continue doing business with 
    you!<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><B
    ---------------------------------------------------------------------------
    
    
    
    Appendix 2: Webserver-Log
    
    cs2416299-149.hot.rr.com - - [02/Jan/2002:09:04:54 +0100] &quot;GET 
    /cgi-bin/formmail.pl?email=CATBillingRepat_private&amp;recipient=BonafideBeanerat_private&amp;subject=Dear%20AOL%20Member,&amp;=Dear+Member%3CBR%3E%3CBR%3E%3CBR%3EWe+at+America+Online+Inc.+are+sorry+to+inform+you+that+we+are+having+problem%27s+with+the+billing+information+of+your+account.++We+would+appreciate+it+if+you+would+goto+our+website++%5B%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%5D+and+fill+out+the+proper+information+that+we+are+needing+to+keep+you+as+an+AOL+member+here+on+America+Online.%3CBR%3E%3CBR%3EIf+you+think+you+have+received+this+email+as+an+error.++Please+goto+the+website+and+fill+out+the+information.++That+way+we+can+make+sure+that+everything+is+ok%21++Again+here+is+the+hyperlink+to+the+page.++%3CA+HREF%3D%22aol%3A%2F%2F1223%3A26260%2Fhttp%3A%2F%2Faolbilling.knows.it%2F%22%3EAOL+Billing+Center%3C%2FA%3E%3CBR%3E%0D%0A%3C!<br>
    BR%3E%0D%0AJoe+Watson%3CBR%3E%0D%0AAOL+Billing+Center%3CBR%3E%0D%0ARep+ID.+355F%3CBR%3E%0D%0A%3CBR%3E%0D%0AWe+do+hope+to+continue+doing+business+with+you%21%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%!
    !<br>
    3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3E%3CBR%3 
    HTTP/1.1&quot; 200 2762 &quot;-&quot; &quot;Mozilla/4.0 (compatible; MSIE 
    5.5; Windows 98; Win 9x 4.90; T312461)&quot;<br>
    
    -------------------------------------------------------------------------
    Michael Hottinger                                 m.hottingerat_private
    Universitaet Zuerich                                Phone: +41 1 63 54515
    Zentrum Informatikdienste                             Fax: +41 1 63 54505
    Winterthurerstr.190, CH-8057 Zuerich
    http://www.zi.unizh.ch/services/pc-mac-support/crew/hottinger/
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 08:38:24 PST