<victim>server formmail.pl exploit in the wild

From: Andrew Daviel (andrewat_private)
Date: Thu Apr 11 2002 - 16:06:21 PDT

  • Next message: Christopher L. Morrow: "Re: IGMP DOS Attack"

    I've seen an attempt to exploit FormMail.pl version 1.9 (the latest 
    official version), viz.
    
    Tue Apr  9 15:40:50 2002
    REMOTE_ADDR=172.190.98.15
    REQUEST_METHOD=POST
    REMOTE_PORT=2768
    HTTP_CACHE_CONTROL=no-cache
    REQUEST_URI=/cgi-bin/formmail.pl
    CONTENT_TYPE=application/x-www-form-urlencoded
    CONTENT_LENGTH=2153
    Count 1
    . 
    
    We will show you how to not only make money online, 
    ..
    subject academics                         NyZ0f
    recipient 
    <a2888at_private>vancouver-webpages.com,<a28danat_private>vancouver-webpages.com,
    etc.
    
    as per
    http://online.securityfocus.com/archive/1/252232
    
    I have also seen an extensive credit card fraud spam campaign aimed at AOL 
    users exploiting the earlier vulnerability in FormMail.pl version 1.6
    
    
    Andrew Daviel, TRIUMF, Canada
    Tel. +1 (604) 222-7376
    securityat_private
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 08:33:02 PDT