[PLUG] Scanning for formmail ...
Webfoot
webfoot at easystreet.com
Mon Apr 1 19:11:25 UTC 2002
Yes, there is an exploit that is widely used for spam.
I have updated my scripts per:
http://www.mailvalley.com/formmail/
Also, I would suggest renaming formmail.pl to some other name.
= = = = = = = = = = = = = = = = = = = = = =
Day Tooley
webfoot at easystreet.com
www.webfooters.com
www.fcc-oregon.org
.
----- Original Message -----
From: "Colin Kuskie" <ckuskie at dalsemi.com>
To: <plug at lists.pdxlinux.org>
Sent: Monday, April 01, 2002 10:40 AM
Subject: [PLUG] Scanning for formmail ...
> I'm seeing a lot of entries in my apache access_log that look like
> this:
>
> 172.159.122.83 - - [31/Mar/2002:09:02:53 -0800] "GET
/cgi-bin/formmail.pl?recipient=formmailrogers at yahoo.com&subject=http://www.s
unsetpres.org/cgi-bin/formmail.pl&body=JupZ&email=uru at aol.com HTTP/1.1" 404
225 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
> 172.159.122.83 - - [31/Mar/2002:09:02:53 -0800] "GET
/cgi-local/formmail.pl?recipient=formmailrogers at yahoo.com&subject=http://www
.sunsetpres.org/cgi-local/formmail.pl&body=JupZ&email=kxq at aol.com HTTP/1.1"
404 227 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
> 172.159.122.83 - - [31/Mar/2002:09:02:53 -0800] "GET
/cgi-bin/formmail.cgi?recipient=formmailrogers at yahoo.com&subject=http://www.
sunsetpres.org/cgi-bin/formmail.cgi&body=JupZ&email=yab at aol.com HTTP/1.1"
404 226 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
> 172.159.122.83 - - [31/Mar/2002:09:02:53 -0800] "GET
/cgi-local/formmail.cgi?recipient=formmailrogers at yahoo.com&subject=http://ww
w.sunsetpres.org/cgi-local/formmail.cgi&body=JupZ&email=iuj at aol.com
HTTP/1.1" 404 228 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;
DigExt)"
>
> After looking at over 50 sets of these, I've noticed a couple of things:
>
> 1) They always come in sets of 4.
> 2) The email field appears to be randonly generated ... at aol.com
> 3) The recipient is constant for a given block of IP addresses, in this
> case formmailrogers at yahoo.com
>
> To me it looks like someone is using some kind of automated scanning
> tool to see if the site has a poorly configured Matt Wright formmail
> script. The tool user looks in their email account for URLs of
> potential targets.
>
> Is anyone else seeing URLs like this in their logs? Has anyone heard
> about a formmail exploit, or a scanning tool that looks for it? Also,
> if they're actually stupid enough to use a real email address that's
> potentially traceable, should I send my logs to someone who might
> arrest the little turds?
>
> Colin
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list