HNS MAIN FEED
Thursday, 03:23 EDT
- Security for Android applications
- Infiltrated SpyEye C&C server provides glimpse into botnet activity
- Gmail phishing campaign is under way
- Virtualization for Security
- Trend Micro launches Titanium 2011 security software
- NSA Director says citizens' privacy will never be compromised
- International variations in online threat perception
- The emotional impact of cybercrime
- Safari 5.0.2 addresses three vulnerabilities
- How black hat spam SEO works
- Firefox 3.6.9 fixes numerous security issues
- Facebook survey spam worm spreads like fire
Unix Security: The FormMail Hack
Is your Web server being used as a Spam Mail relay? It could be, and it doesn't even need a daemon listening on the SMTP port. How's it done, and how do you prevent your system from becoming a target?
Last year while monitoring our SMTP stats, I noticed an unusual amount of input traffic to our Webserver. Curiosity got the best of me, so I started looking at the Web logs only to find thousands of attacks targeted at a Perl script known as FormMail.pl. A short time later, I started getting thousands of bounced email and complaints from hundreds of people blaming me for acting as a Spam relay. I questioned how this could be, as my Web server wasn't even listening on the SMTP port… or so I thought.
The FormMail.pl Hack
A Spam hack many administrators are still not aware of, takes advantage of a well-known perl script called FormMail.pl, used for processing Web-based forms. Originally written by Matt Wright, the popular version 1.6 allows an attacker to send a malicious URL to the Web Server thus accessing the mail binary and turning your otherwise harmless machine into a spam Mail relay. Millions of Web servers around the world still use version 1.6, despite the release of newer more secure replacements.
Until recently, FormMail.pl was considered reasonably safe due to the implementation of "Referrers" that [only] allowed access based on a specific ruleset of allowable domains and IP's.
# Config code
# @referers allows forms to be located only on servers
# which are defined in this field. This security fix
# from the last version which allowed anyone on any
# server to use your FormMail script on their web site.
@referrers=('net-security.org', 'another_domain.com');
A single machine could handle several thousand referrers at a time including Virtual Hosts. The script however, wasn't entirely perfect; not that it didn't work, but it was very easy to hack.
Detecting the Hack
The worst part of this exploit is the administrator usually won't suspect anything's wrong until he starts receiving mail informing him about his so-called Open Relay - that is, if he bothers to read it.
1 | 2 | 3 | Next page >>
- Behind the scenes and inside workings of a CERT
- Malware detection with Neptune
- Corporate espionage for dummies: HP scanners
- A closer look at GFI Backup 2010 Business Edition
- Network security challenges faced by universities
