RE: <victim>server formmail.pl exploit in the wild

From: Benjamin Tomhave (falconat_private)
Date: Fri Apr 12 2002 - 16:34:23 PDT

  • Next message: Brenna Primrose: "Strange scans"

    In the past 2 weeks I've had several of my web hosting servers hit with this
    exploit, thanks to FormMail 1.6.  I simply chmod 000 the offending scripts
    in the short-term, or let folks replace it with 1.9s, though I'm guessing
    there are generic 1.9 versions out there, too.  Sources were from all over
    the world, from aol.com to .tw and so on and so forth.
    
    -----Original Message-----
    From: Justin Shore [mailto:macdaddyat_private]
    Sent: Friday, April 12, 2002 9:35 AM
    To: Andrew Daviel; incidentsat_private
    Subject: Re: <victim>server formmail.pl exploit in the wild
    
    
    One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks
    ago which got that server listed in SpamCop.  Every single malicious use
    of that cgi came from pacbell.net DSL customers.  Since upgrading to 1.9
    we haven't had any trouble, yet <knock on wood>.  I would rather find a
    PHP solution for form handling.
    
    Justin
    
    On 4/11/02 6:06 PM Andrew Daviel said...
    
    >
    >I've seen an attempt to exploit FormMail.pl version 1.9 (the latest
    >official version), viz.
    >
    >Tue Apr  9 15:40:50 2002
    >REMOTE_ADDR=172.190.98.15
    >REQUEST_METHOD=POST
    >REMOTE_PORT=2768
    >HTTP_CACHE_CONTROL=no-cache
    >REQUEST_URI=/cgi-bin/formmail.pl
    >CONTENT_TYPE=application/x-www-form-urlencoded
    >CONTENT_LENGTH=2153
    >Count 1
    >.
    >
    >We will show you how to not only make money online,
    >..
    >subject academics                         NyZ0f
    >recipient
    ><a2888at_private>vancouver-webpages.com,<a28danat_private>vancouver-webpag
    >es.com,
    >etc.
    >
    >as per
    >http://online.securityfocus.com/archive/1/252232
    >
    >I have also seen an extensive credit card fraud spam campaign aimed at AOL
    >users exploiting the earlier vulnerability in FormMail.pl version 1.6
    >
    >
    >Andrew Daviel, TRIUMF, Canada
    >Tel. +1 (604) 222-7376
    >securityat_private
    >
    >
    >---------------------------------------------------------------------------
    -
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    
    
    
    --
    Justin Shore, ES-SS ES-SSR      Pittsburg State University
    Network & Systems Manager       Kelce 157Q
    Office of Information Systems   Pittsburg, KS 66762
    Voice: (620) 235-4606           Fax: (620) 235-4545
    http://www.pittstate.edu/ois/
    
    Warning:  This message has been quadruple Rot13'ed for your protection.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Apr 14 2002 - 14:59:24 PDT