RE: Help with hijacked sendmail

From: Moeller, Arno (am@bogs.de)
Date: 09/25/01


Message-ID: <805176E0B926D5119CEC0080C894243708F60D@yes.bogs.mit>
From: "Moeller, Arno" <am@bogs.de>
To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
Subject: RE: Help with hijacked sendmail
Date: Tue, 25 Sep 2001 10:09:03 +0200

Hello,

> I noticed some odd behavior going on in my maillog file. I've
> checked my
> sendmail configuration and have no idea how to get this
> behavior to stop. I
> don't see anything out of the ordinary in any other log. For
> now, sendmail
> is stopped. I don't even know what to try or where to examine
> next. Any
> suggestions are appreciated. This is what I see in the log
> and there are a
> lot of them. (Email addresses have been altered to protect
> the innocent)

I've seen this before... My guess is that this machine is also
running a web-server, since the mails are sent by the user
nobody@localhost, and this webserver is also hosting the
formmail.pl-script. If someone knows the exact location of the
formmail-script, any mail can be sent do anyone by using a well-
crafted URL. I'm not sure wether to go into more detail here,
since there maybe some spammers who do not know how to accomplish
this.

If I'm right, my advise is to go though your webserver-logs and
look for the corresponding formmail-entries. If you find them,
not your sendmail has been "hijacked", but your formmail-scripts.

I've patched formmail in the following way to prevent this from
happening and to log the spamming attempts:

    # Determine the form's REQUEST_METHOD (GET or POST) and split the form
#
    # fields up into their name-value pairs. If the REQUEST_METHOD was
#
    # not GET or POST, send an error.
#
    if ($ENV{'REQUEST_METHOD'} eq 'GET') {
        # Split the name-value pairs
        open (FILE,">>/tmp/spamlog");
        print FILE "Date: ".`date`;
        print FILE "At Server: ".$ENV{'SERVER_NAME'}."\n";
        print FILE "From IP: ".$ENV{'REMOTE_ADDR'}."\n";
        print FILE "QUERY-STRING: ".$ENV{'QUERY_STRING'}."\n\n";
        close(FILE);
        print "Content-type: text/html\n\n";
        print "<html>\n <head>\n";
        print "</head><body>";
        print "Method GET is not allowed! <br>";
        print "Your IP is logged due to possible SPAM! <br>";
        print "</body></html>";
        
        exit;

Please note that after patching formmail this way any webset using
formmail with the GET-Method will not work anymore.

Best regards,

Arno Moeller



Relevant Pages

  • Re: Help with hijacked sendmail
    ... >I noticed some odd behavior going on in my maillog file. ... >sendmail configuration and have no idea how to get this behavior to stop. ... You'll need to import some clean binaries from a CD or clean machine ...
    (Focus-Linux)
  • Formmail and Windows SMTP
    ... However, as far as I can see, Formmail needs the address of sendmail. ... let me use the Formmail script on my localhost? ... that works with Windows SMTP Server. ...
    (microsoft.public.frontpage.client)
  • Re: only use Sendmail with formmail
    ... > FormMail, and all seemed to be working great. ... > have since shutdown sendmail and no more emails about spam from my ISP. ... Fix FormMail, and all other scripts. ...
    (comp.mail.sendmail)
  • only use Sendmail with formmail
    ... FormMail, and all seemed to be working great. ... have since shutdown sendmail and no more emails about spam from my ISP. ...
    (comp.mail.sendmail)
  • Help with hijacked sendmail
    ... I noticed some odd behavior going on in my maillog file. ... sendmail configuration and have no idea how to get this behavior to stop. ...
    (Focus-Linux)