Re: <victim>server formmail.pl exploit in the wild

From: mike maxwell (mmaxwellat_private)
Date: Fri Apr 12 2002 - 12:11:39 PDT

  • Next message: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"

    formmail 1.9 is vulnerable...we were just hit by it.....many messages went out
    before we causght it ......supposedly the version at
    
    http://www.monkeys.com/anti-spam/filtering/formmail.html
    
    takes care of the problem.......:-(
    
    Justin Shore wrote:
    
    > One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks
    > ago which got that server listed in SpamCop.  Every single malicious use
    > of that cgi came from pacbell.net DSL customers.  Since upgrading to 1.9
    > we haven't had any trouble, yet <knock on wood>.  I would rather find a
    > PHP solution for form handling.
    >
    > Justin
    >
    > On 4/11/02 6:06 PM Andrew Daviel said...
    >
    > >
    > >I've seen an attempt to exploit FormMail.pl version 1.9 (the latest
    > >official version), viz.
    > >
    > >Tue Apr  9 15:40:50 2002
    > >REMOTE_ADDR=172.190.98.15
    > >REQUEST_METHOD=POST
    > >REMOTE_PORT=2768
    > >HTTP_CACHE_CONTROL=no-cache
    > >REQUEST_URI=/cgi-bin/formmail.pl
    > >CONTENT_TYPE=application/x-www-form-urlencoded
    > >CONTENT_LENGTH=2153
    > >Count 1
    > >.
    > >
    > >We will show you how to not only make money online,
    > >..
    > >subject academics                         NyZ0f
    > >recipient
    > ><a2888at_private>vancouver-webpages.com,<a28danat_private>vancouver-webpag
    > >es.com,
    > >etc.
    > >
    > >as per
    > >http://online.securityfocus.com/archive/1/252232
    > >
    > >I have also seen an extensive credit card fraud spam campaign aimed at AOL
    > >users exploiting the earlier vulnerability in FormMail.pl version 1.6
    > >
    > >
    > >Andrew Daviel, TRIUMF, Canada
    > >Tel. +1 (604) 222-7376
    > >securityat_private
    > >
    > >
    > >----------------------------------------------------------------------------
    > >This list is provided by the SecurityFocus ARIS analyzer service.
    > >For more information on this free incident handling, management
    > >and tracking system please see: http://aris.securityfocus.com
    >
    > --
    > Justin Shore, ES-SS ES-SSR      Pittsburg State University
    > Network & Systems Manager       Kelce 157Q
    > Office of Information Systems   Pittsburg, KS 66762
    > Voice: (620) 235-4606           Fax: (620) 235-4545
    > http://www.pittstate.edu/ois/
    >
    > Warning:  This message has been quadruple Rot13'ed for your protection.
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    --
    Mike Maxwell
    System Manager--GMA
    mmaxwellat_private
    ****************************************************
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 13:18:04 PDT