[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Formmail.pl Program

Subject: Re: [cobalt-users] Formmail.pl Program
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Mon Mar 12 23:04:39 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>There is a script going around that uses Matt Wrights formmail.pl program to
>send SPAM. The script forges the valid referer variable and then sends
>several SPAM emails per second. I just got hit by thousands of bounced
>messages.:(
>
>An easy fix is to hard code the recipient variable at the beginning of the
>program. Then change one or two subroutines to process your new variable
>instead of the info contained in the HTML form. Email me if you have any
>questions.


More information:

the script appears as a User-Agent of 'Microsoft URL Control' - which I'm ASSUMING is some kind of Active-X thing - I'm not up on anything MicroShaft.

I don't think you're right in the forging of the referer - it uses a call to formmail.pl which has an ENV_REPORT call in it - and this seems to totally IGNORE the entries in @referers.

ROUGH Details of the exploit can be found at:

http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_information.html

The people using it have altered the exploit to send a complete email, with a subject and contents all nicely packaged, coming from your raq server.

We got hit by this sending email spam advertising a homosexual porn site.

We traced the IPs to UUNet and PSI.NET and reported them to their abuse teams over the weekend, but it seems that apart from the auto-responder, we've got nothing back - if anyone has a phone number of someone of any importance in psi.net, I'll like it please!

You should look in the access file (/home/log/httpd/access) for calls to formmail.pl, split out the IP and sort them, then uniq -c them to a file - save the access file now for possible claims against the originating network and contact their abuse team immediately.

hth

Greg


>-Mike
>
>
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users

-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

Follow-Ups:
- Re: [cobalt-users] Formmail.pl Program
  - From: Derrick Hall

References:
- [cobalt-users] Formmail.pl Program
  - From: Michael Palamar

Prev by Date: Re: [cobalt-users] Universal CGI-BIN Problem
Next by Date: RE: [cobalt-users] Logs & Active Monitor problem
Previous by thread: [cobalt-users] Formmail.pl Program
Next by thread: Re: [cobalt-users] Formmail.pl Program

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index