Re: Matt Wright FormMail Attacks

From: Markus Stumpf (maex-lists-security-incidentsat_private)
Date: Tue Jan 15 2002 - 15:06:24 PST

Next message: Gary Porter: "Trojans that use LDAP"

Previous message: RainbowHat: "Re: New DNS connection with SYN ACK"
In reply to: Pence, Derek A.: "RE: Matt Wright FormMail Attacks"
Next in thread: Michael Hottinger: "Re: Matt Wright FormMail Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 14, 2002 at 11:14:49AM -0700, Pence, Derek A. wrote:
> I've seen it be very successful. Without going into detail, there's a
> script out there that spammers seem to be passing
> around that automatically formats and submits data to formmail.pl on
> remote boxes.  Sure enough... it works like a
> charm.  If you are curious about the script they are using, just attach
> a sniffer to your inbound wire and enjoy.

I have added the following lines to my webserver (apache) configuration:
# ------------------------------------------------------------------------
Alias    /cgi-bin/phf           /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /cgi-bin/test-cgi      /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /cgi-bin/formmail.pl   /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /cgi-bin/formmail.cgi  /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /cgi-bin/Count.cgi     /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /default.ida           /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /scripts               /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /MSADC         	/usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /msadc         	/usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /_vti_bin              /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /_mem_bin              /usr/local/etc/webmgmt/apache/security/watch.cgi
Alias    /c/winnt               /usr/local/etc/webmgmt/apache/security/watch.cgi
<Directory /usr/local/etc/webmgmt/apache/security>
  AddHandler cgi-script .cgi
</Directory>
# ------------------------------------------------------------------------

This aliases the scripts and the Nimda and Code Red exploits to a perl script
(watch.cgi).
Within this script you can setup email notification (thats what I do)
or do anything else you want. That way you have an easy realtime
notification instead of parsing logfiles once in a while.

Besides the email notification I also trigger another cgi (via watch.cgi)
on a central system to have a centralized collection of issues and feed
them to a small pseudo database. By having the above configuration in
some webservers on our webhosting computers we get a good overall impression
about whats going on.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
Stress is when you wake up screaming and you realize you haven't fallen
asleep yet.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Gary Porter: "Trojans that use LDAP"
Previous message: RainbowHat: "Re: New DNS connection with SYN ACK"
In reply to: Pence, Derek A.: "RE: Matt Wright FormMail Attacks"
Next in thread: Michael Hottinger: "Re: Matt Wright FormMail Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:29:33 PST