|
Security Incidents
mailing list archives
Re: new type of formmail probes
From: robinton () gmx de (Soeren Ziehe)
Date: 06 Sep 2002 10:44:00 +0200
In article <1031192635.27151.37.camel () bloodnock> [05 Sep 02]
Russell Fulton <r.fulton () auckland ac nz> wrote:
Am I right in assuming that this just more spammers looking for
places to launder mail or is it more sinister than that? I.e. do
we believe the 'arbitrary command execution attempt' bit?
Spammers looking for vulnerable formmail versions.
For the last months they've been looking for
/cgi-bin/formmail.pl
/cgi-bin/formmail.cgi
/cgi-local/formmail.pl
/cgi-local/formmail.cgi
Since last week I also see probes for
/cgi-bin/FormMail.pl
/cgi-bin/FormMail.cgi
We had 2 incidents in our network were "older" (1.6 - latest is 1.92)
installations were detected in "non-standard" locations.
For one incident I've got log data. The attack consisted of coordinated
accesses from several locations worlwide. (br, us, de, edu, jp, ...).
After disabling the script (ca. 3h into the attack) these distributed
attacks continued for about 18 hours.
Address restrictions were circumvented by using
"<recipient () example com>www.victim.com" style recipient addresses.
No hard evidence, but I suspect the following:
- the spammers may be looking actively for forms and associated scripts
by spidering websites
- the spammers may command "bot nets" or distributed cracked and
compromised hosts, which then are used to send out spam.
Robinton
--
Origin: Die Antwort lautet 41.735979 ! ;-)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
