Re: Matt Wright FormMail Attacks

From: Markus Stumpf (maex-lists-security-incidentsat_private)
Date: Tue Jan 15 2002 - 15:06:24 PST

  • Next message: Gary Porter: "Trojans that use LDAP"

    On Mon, Jan 14, 2002 at 11:14:49AM -0700, Pence, Derek A. wrote:
    > I've seen it be very successful. Without going into detail, there's a
    > script out there that spammers seem to be passing
    > around that automatically formats and submits data to formmail.pl on
    > remote boxes.  Sure enough... it works like a
    > charm.  If you are curious about the script they are using, just attach
    > a sniffer to your inbound wire and enjoy.
    
    I have added the following lines to my webserver (apache) configuration:
    # ------------------------------------------------------------------------
    Alias    /cgi-bin/phf           /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /cgi-bin/test-cgi      /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /cgi-bin/formmail.pl   /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /cgi-bin/formmail.cgi  /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /cgi-bin/Count.cgi     /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /default.ida           /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /scripts               /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /MSADC         	/usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /msadc         	/usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /_vti_bin              /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /_mem_bin              /usr/local/etc/webmgmt/apache/security/watch.cgi
    Alias    /c/winnt               /usr/local/etc/webmgmt/apache/security/watch.cgi
    <Directory /usr/local/etc/webmgmt/apache/security>
      AddHandler cgi-script .cgi
    </Directory>
    # ------------------------------------------------------------------------
    
    This aliases the scripts and the Nimda and Code Red exploits to a perl script
    (watch.cgi).
    Within this script you can setup email notification (thats what I do)
    or do anything else you want. That way you have an easy realtime
    notification instead of parsing logfiles once in a while.
    
    Besides the email notification I also trigger another cgi (via watch.cgi)
    on a central system to have a centralized collection of issues and feed
    them to a small pseudo database. By having the above configuration in
    some webservers on our webhosting computers we get a good overall impression
    about whats going on.
    
    	\Maex
    
    -- 
    SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
    Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
    Stress is when you wake up screaming and you realize you haven't fallen
    asleep yet.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:29:33 PST