Re: <victim>server formmail.pl exploit in the wild

From: mike maxwell (mmaxwellat_private)
Date: Fri Apr 12 2002 - 12:11:39 PDT

Next message: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"

Previous message: Robert Buckley: "Possible DOS?"
In reply to: Justin Shore: "Re: <victim>server formmail.pl exploit in the wild"
Next in thread: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
Next in thread: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

formmail 1.9 is vulnerable...we were just hit by it.....many messages went out
before we causght it ......supposedly the version at

http://www.monkeys.com/anti-spam/filtering/formmail.html

takes care of the problem.......:-(

Justin Shore wrote:

> One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks
> ago which got that server listed in SpamCop.  Every single malicious use
> of that cgi came from pacbell.net DSL customers.  Since upgrading to 1.9
> we haven't had any trouble, yet <knock on wood>.  I would rather find a
> PHP solution for form handling.
>
> Justin
>
> On 4/11/02 6:06 PM Andrew Daviel said...
>
> >
> >I've seen an attempt to exploit FormMail.pl version 1.9 (the latest
> >official version), viz.
> >
> >Tue Apr  9 15:40:50 2002
> >REMOTE_ADDR=172.190.98.15
> >REQUEST_METHOD=POST
> >REMOTE_PORT=2768
> >HTTP_CACHE_CONTROL=no-cache
> >REQUEST_URI=/cgi-bin/formmail.pl
> >CONTENT_TYPE=application/x-www-form-urlencoded
> >CONTENT_LENGTH=2153
> >Count 1
> >.
> >
> >We will show you how to not only make money online,
> >..
> >subject academics                         NyZ0f
> >recipient
> ><a2888at_private>vancouver-webpages.com,<a28danat_private>vancouver-webpag
> >es.com,
> >etc.
> >
> >as per
> >http://online.securityfocus.com/archive/1/252232
> >
> >I have also seen an extensive credit card fraud spam campaign aimed at AOL
> >users exploiting the earlier vulnerability in FormMail.pl version 1.6
> >
> >
> >Andrew Daviel, TRIUMF, Canada
> >Tel. +1 (604) 222-7376
> >securityat_private
> >
> >
> >----------------------------------------------------------------------------
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
>
> --
> Justin Shore, ES-SS ES-SSR      Pittsburg State University
> Network & Systems Manager       Kelce 157Q
> Office of Information Systems   Pittsburg, KS 66762
> Voice: (620) 235-4606           Fax: (620) 235-4545
> http://www.pittstate.edu/ois/
>
> Warning:  This message has been quadruple Rot13'ed for your protection.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
Mike Maxwell
System Manager--GMA
mmaxwellat_private
****************************************************



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"
Previous message: Robert Buckley: "Possible DOS?"
In reply to: Justin Shore: "Re: <victim>server formmail.pl exploit in the wild"
Next in thread: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
Next in thread: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 13:18:04 PDT