Hi All, Over the last week or so snort has been picking up many probes like this: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-CGI formmail arbitrary command execution attempt [**] 09/05-01:24:57.641599 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x30F 62.49.117.114:2645 -> 130.216.35.105:80 TCP TTL:107 TOS:0x0 ID:20226 IpLen:20 DgmLen:769 DF ***AP*** Seq: 0x350A6D63 Ack: 0x5BFB5778 Win: 0x2238 TcpLen: 20 50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F POST /cgi-bin/fo 72 6D 6D 61 69 6C 2E 70 6C 20 48 54 54 50 2F 31 rmmail.pl HTTP/1 2E 30 0D 0A 56 69 61 3A 20 31 2E 30 20 53 45 52 .0..Via: 1.0 SER 56 45 52 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A VER..Connection: 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E Keep-Alive..Con 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 30 32 tent-Length: 402 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo 7A 69 6C 6C 61 2F 34 2E 30 36 20 28 57 69 6E 39 zilla/4.06 (Win9 35 3B 20 49 29 0D 0A 43 6F 6E 74 65 6E 74 2D 54 5; I)..Content-T 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E ype: application 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 /x-www-form-urle 6E 63 6F 64 65 64 0D 0A 48 6F 73 74 3A 20 77 77 ncoded..Host: ww 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac 2E 6E 7A 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 .nz..Accept: ima 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D ge/gif, image/x- 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A xbitmap, image/j 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E peg, application 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 65 /msword, */*..Re 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac 2E 6E 7A 0D 0A 0D 0A 65 6D 61 69 6C 3D 64 61 61 .nz....email=daa 31 38 40 66 64 6A 31 30 2E 63 6F 6D 26 72 65 63 18at_private&rec 69 70 69 65 6E 74 3D 3C 69 69 6B 65 73 74 79 78 ipient=<iikestyx 40 61 6F 6C 2E 63 6F 6D 3E 77 77 77 2E 63 73 2E @aol.com>www.cs. 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 26 73 auckland.ac.nz&s 75 62 6A 65 63 74 3D 77 77 77 2E 63 73 2E 61 75 ubject=www.cs.au 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 25 32 46 63 ckland.ac.nz%2Fc 67 69 2D 62 69 6E 25 32 46 66 6F 72 6D 6D 61 69 gi-bin%2Fformmai 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25 32 30 l.pl%20%20%20%20 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20% 32 30 25 32 30 25 32 30 25 32 30 25 32 30 6F 78 20%20%20%20%20ox 79 35 32 26 3D 25 30 44 25 30 41 25 30 44 25 30 y52&=%0D%0A%0D%0 41 74 69 6D 65 25 32 46 64 61 74 65 25 33 41 25 Atime%2Fdate%3A% 32 30 30 38 25 33 41 32 30 25 33 41 31 39 70 6D 2008%3A20%3A19pm 25 32 30 25 32 46 25 32 30 30 39 25 32 46 30 34 %20%2F%2009%2F04 25 32 46 32 30 30 32 25 30 44 25 30 41 3C 41 25 %2F2002%0D%0A<A% 32 30 48 52 45 46 25 33 44 25 32 32 77 77 77 2E 20HREF%3D%22www. 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E cs.auckland.ac.n 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 6F z%2Fcgi-bin%2Ffo 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 77 77 77 rmmail.pl%22>www 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E .cs.auckland.ac. 6E 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 nz%2Fcgi-bin%2Ff 6F 72 6D 6D 61 69 6C 2E 70 6C 3C 25 32 46 41 3E ormmail.pl<%2FA> 25 30 44 25 30 41 25 30 44 25 30 41 25 30 44 25 %0D%0A%0D%0A%0D% 30 41 25 30 44 25 30 41 25 30 44 25 30 41 25 30 0A%0D%0A%0D%0A%0 44 25 30 41 6F 78 79 35 32 D%0Aoxy52 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Am I right in assuming that this just more spammers looking for places to launder mail or is it more sinister than that? I.e. do we believe the 'arbitrary command execution attempt' bit? Cheers, Russell. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 09:15:12 PDT