Latest news
Unix Security: The FormMail Hack
by Glenn Graham - inTEXT Communications - Monday, 9 June 2003.
The theory behind the hack is simple: The attacker sends a string to the web server, fools the server into processing the data, and relays via the internal mailer in a similar manner a regular form would be processed. Afterward, a mile long trail is usually left in the apache server log.
Here's a typical example of a logfile after an attack:
The string is obvious in its form. First the attacker sends the header with a "GET" to the path of FormMail, followed by his bogus return address, followed by the subject line, followed by the message that links you to a Web site, and finally a list of recipients at (in this case) aol.com. The server then writes code 200, indicating the transfer was successful along with an easily identifiable IP trail.
How do they find you and what do they do?
Attackers scan entire networks for hosts listening on port 80 with a "get" script that detects the presence of FormMail.pl. If you haven't already encountered this problem, it may be a good idea to rename the generic filename to something else, like ParseMail.pl or something not quite so obvious.
Once your host has "scanned positive", you are then added to a database for later reference. In most cases the Spam process [itself] runs in stealth mode, this is to say two databases are used simultaneously and in random order: First the database containing the hostnames is processed at random, along with the addresses in the email database. This helps spread traffic over thousands of hosts at a time while ignoring a small percentage that may block the spam.
My First Ideas for a Temporary Fix
During the attack, our server was handling approx 2000 Spam-Mail per minute; time was of the essence in stopping the attack.
1: After determining the primary source(s), I dropped the IP blocks using the route command. Next I was faced with the problem of determining how my users would access their Web forms while keeping the spammers away. With little time to spare, I immediately loaded another web server that listened on another port rather than 80. I then changed each users form to match the temporary server and port number. This quickly segregated the web server from relaying. In addition I renamed FormMail.pl just to confuse any automated scanners.
See the code here.
2: After reading the security groups and consulting with other admins, one bright fellow came up with a simple fix that altered the check_referrer integer, preventing long line input. Although brilliant, not an end all solution.
See the code here.
Updates and New Releases
Since news of the FormMail hack, Matt has published several new releases. According to recent information published on his site, FormMail.pl has undergone yet another upgrade that fixes several more holes. It is my opinion that FormMail.pl has a way to go before being considered secure.
Here's a typical example of a logfile after an attack:
198.139.155.7 - - [20/Mar/2002:18:43:57 -0700]
"HEAD / HTTP/1.1" 200 0calnet21-109.gtecablemodem.com - -
[20/Mar/2002:18:45:56 -0700]
"GET /cgi-bin/FormMail.pl?email=bigpenis@aol.com&subject=
Are%20You%20happy%20with%20yourself?&message=Are%20you%20
happy%20with%20your%20penis%20size?%20Click%20the%20
link%20below%20to%20learn%20how%0to%20increase%20
your%20size.
Click%20Here
&recipient=Cs0009@aol.com,Gotatude2@aol.com,
Luv%20Kiyomi@aol.com,WhtKnigt73@aol.com,
Bernie3456@aol.com,KasumiShadowKiy@aol.com,
Morrellsthug87@aol.com, HTTP/1.1"
200 538
The string is obvious in its form. First the attacker sends the header with a "GET" to the path of FormMail, followed by his bogus return address, followed by the subject line, followed by the message that links you to a Web site, and finally a list of recipients at (in this case) aol.com. The server then writes code 200, indicating the transfer was successful along with an easily identifiable IP trail.
How do they find you and what do they do?
Attackers scan entire networks for hosts listening on port 80 with a "get" script that detects the presence of FormMail.pl. If you haven't already encountered this problem, it may be a good idea to rename the generic filename to something else, like ParseMail.pl or something not quite so obvious.
Once your host has "scanned positive", you are then added to a database for later reference. In most cases the Spam process [itself] runs in stealth mode, this is to say two databases are used simultaneously and in random order: First the database containing the hostnames is processed at random, along with the addresses in the email database. This helps spread traffic over thousands of hosts at a time while ignoring a small percentage that may block the spam.
My First Ideas for a Temporary Fix
During the attack, our server was handling approx 2000 Spam-Mail per minute; time was of the essence in stopping the attack.
1: After determining the primary source(s), I dropped the IP blocks using the route command. Next I was faced with the problem of determining how my users would access their Web forms while keeping the spammers away. With little time to spare, I immediately loaded another web server that listened on another port rather than 80. I then changed each users form to match the temporary server and port number. This quickly segregated the web server from relaying. In addition I renamed FormMail.pl just to confuse any automated scanners.
See the code here.
2: After reading the security groups and consulting with other admins, one bright fellow came up with a simple fix that altered the check_referrer integer, preventing long line input. Although brilliant, not an end all solution.
See the code here.
Updates and New Releases
Since news of the FormMail hack, Matt has published several new releases. According to recent information published on his site, FormMail.pl has undergone yet another upgrade that fixes several more holes. It is my opinion that FormMail.pl has a way to go before being considered secure.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
