Re: <victim>server formmail.pl exploit in the wild

From: Justin Shore (macdaddyat_private)
Date: Fri Apr 12 2002 - 08:35:22 PDT

Next message: dullienat_private: "Re: FW: Footprints of ASP ISAPI filter buffer overflows"

Previous message: Jonathon.Kalaugher@sbg-ap.com: "FW: Footprints of ASP ISAPI filter buffer overflows"
Maybe in reply to: Andrew Daviel: "<victim>server formmail.pl exploit in the wild"
Next in thread: mike maxwell: "Re: <victim>server formmail.pl exploit in the wild"
Reply: mike maxwell: "Re: <victim>server formmail.pl exploit in the wild"
Reply: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
Reply: Benjamin Tomhave: "RE: <victim>server formmail.pl exploit in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks 
ago which got that server listed in SpamCop.  Every single malicious use 
of that cgi came from pacbell.net DSL customers.  Since upgrading to 1.9 
we haven't had any trouble, yet <knock on wood>.  I would rather find a 
PHP solution for form handling.

Justin

On 4/11/02 6:06 PM Andrew Daviel said...

>
>I've seen an attempt to exploit FormMail.pl version 1.9 (the latest 
>official version), viz.
>
>Tue Apr  9 15:40:50 2002
>REMOTE_ADDR=172.190.98.15
>REQUEST_METHOD=POST
>REMOTE_PORT=2768
>HTTP_CACHE_CONTROL=no-cache
>REQUEST_URI=/cgi-bin/formmail.pl
>CONTENT_TYPE=application/x-www-form-urlencoded
>CONTENT_LENGTH=2153
>Count 1
>. 
>
>We will show you how to not only make money online, 
>..
>subject academics                         NyZ0f
>recipient 
><a2888at_private>vancouver-webpages.com,<a28danat_private>vancouver-webpag
>es.com,
>etc.
>
>as per
>http://online.securityfocus.com/archive/1/252232
>
>I have also seen an extensive credit card fraud spam campaign aimed at AOL 
>users exploiting the earlier vulnerability in FormMail.pl version 1.6
>
>
>Andrew Daviel, TRIUMF, Canada
>Tel. +1 (604) 222-7376
>securityat_private
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com



--
Justin Shore, ES-SS ES-SSR      Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: dullienat_private: "Re: FW: Footprints of ASP ISAPI filter buffer overflows"
Previous message: Jonathon.Kalaugher@sbg-ap.com: "FW: Footprints of ASP ISAPI filter buffer overflows"
Maybe in reply to: Andrew Daviel: "<victim>server formmail.pl exploit in the wild"
Next in thread: mike maxwell: "Re: <victim>server formmail.pl exploit in the wild"
Reply: mike maxwell: "Re: <victim>server formmail.pl exploit in the wild"
Reply: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
Reply: Benjamin Tomhave: "RE: <victim>server formmail.pl exploit in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 10:12:27 PDT