Probed for formmail.pl

I checked my error_log of my perlmonk website the other day, and saw a most curious error.

script not found or unable to stat: /home/grinder/public_html/cgi-bin/formmail.pl

That, if I'm not mistaken, is the tell-tale signature of someone sniffing for one of Matt's broken scripts. I then went through the access_logs to find out just what went on.

GET /cgi-bin/formmail.pl?recipient=sexbuggyblue@aol.com, &subject=patty? &email=dice72934@aol.com &=http://grinder.perlmonk.org/cgi-bin/formmail.pl

Curiouser and curiouser. Now, I know nothing of formmail.pl, but I do know RFCs 1945 and 2616, and to me the above URL looks simply incorrect. The two question marks (the second should be URI-encoded), the "&=", the comma following the email name. Whatever.

The referer (sic) agent is listed as Microsoft URL Control - 6.00.8862, but that doesn't mean much.

The IP address was logged too, of course. Some peanut on a dialup in Daytona Beach in Florida. But that's also neither here nor there.

My first reaction was to write a dummy formmail.pl (ugh, that extension) that simply pointed the person to davorg's nms project. But then I realised that this was some skript kiddie, who doesn't care about well written software, they want to exploit poorly written software, so there wasn't any point.

Now I'm toying with the idea of writing a honey-pot; a formmail.pl that appears to accept arguments, appears to send the mail, but doesn't actually do anything. But that's probably not ethically correct, because if the person gets pissed, they may just decide to trash jcwren's web-hosing service. Maybe on my own hardware perhaps.

So now I'm in a quandary. It's not, of course, something I'll lose sleep over, but I'm wondering, what would you do?

`g r i n d e r`

Comment on Probed for formmail.pl

Replies are listed 'Best First'.
(ichimunki) Re: Probed for formmail.pl by ichimunki (Priest) on Nov 23, 2001 at 06:56 UTC
Since the more recent versions of formmail.pl are mostly useful to spammers looking to mask their identity, you might notify the ISP of origin. If they get enough complaints this will be one of a series of pulled accounts for the spammer. Other than that, the best thing to do is let this go to 404, why waste your time and bandwidth on trying to fight it? The only way to actually win such a fight would be to root their box and cause them misery-- but since that's illegal (even in self-defense) I strongly recommend against it. So here's what I'd do: submit a polite report to abuse@ISP.com and shrug it off-- I suppose I'd archive that portion of the logs, too. Just like I would for any other suspicious set of error messages.	[reply]
Fighting it by Kickstart (Pilgrim) on Nov 24, 2001 at 05:51 UTC
Actually, you do good by reporting it to their ISP. Sure, he's not going to get busted for checking for vulnerabilities on websites...life isn't that easy. But...if you and 30 other people mention that this guy did this, the ISP is definitely going to take note of it, and maybe give the script kiddie (or his parents) a call to find out what's happening. On the other hand, if you do nothing, he'll get bored of it and either decide playing Half-life is more fun, or start looking at scanners and rootkits. Personally, as a working sysadmin, I'd hope that people would give a little effort and scare him a little before he does something that's going to get him in serious trouble or even jail down the road. If you do nothing, nothing gets better. Complacency is the bane of security, both in securing your own systems and in making the net a better place to be. Kickstart	[reply]
Re: Probed for formmail.pl by arhuman (Vicar) on Nov 23, 2001 at 14:41 UTC
Honeypots are definitly a good idea ! It's a good first line defense (catching the probes/attacks on fake SAFE services) It's very informative, you can even learn from script kiddies sometimes <extremist mode> It's sometimes good to respond to trasher, see it as an "educative task" </extremist mode> ;-) Although I would suggest you to avoid setting those kind of things on someone else's box. Now, to answer to your last question : GO ! Honeypots are fun stuff to play with for anybody interested in security. I'm planning to setup one as soon as I manage to get a permanent Net access. Furthermore, if you do it, I'll be very interesting to read your posts/msg about what interesting stuff you found in your logs, what problem you faced, trick your learns... "Only Bad Coders Code Badly In Perl" (OBC2BIP)	[reply]
Re: Probed for formmail.pl by Chrisf (Friar) on Nov 23, 2001 at 10:57 UTC
Just looks like another less than nice request (probably just trying to spam through). I don't think setting up a honeypot or anything of that sort is at all worthwhile. Personally I wouldn't waste any time on it, just move on to reading the ever exciting 1000+ attempts from various worms ;-) On a related note, I know there has been much discussion about Matt's scripts and their poor security (amoung other flaws) but I haven't seen any specific examples of how these could be exploited. Can anyone elaborate on what exactly could be done, or are the security problems purely theoretical? Update: Upon re-reading this, I can see how this post could be misinterpreted. Just to clarify, I'm looking for a general description of where the security problems arise, not specific code to exploit it. Is it anything more than validating the referrer and turning on taint checking couldn't fix?	[reply]
(ichimunki) Re x 2: Probed for formmail.pl by ichimunki (Priest) on Nov 23, 2001 at 19:20 UTC
I can speak only to more recent versions of formmail.pl which, as written, can trivially be caused to fail. Any point of failure is a likely vulnerability-- but none that I could specifically find when I looked at formmail.pl (and none that anyone here in several discussions has been willing to state out loud-- even just saying something like "it has a null string problem" or "there is a buffer overflow issue"). My conclusion (which is not that of a known security expert, or even adept cracker) is that the current version is undesirable for many reasons, the main one being its likelihood to fail. The last version, however, your CGI script was essentially an open mail relay, since the form submitted by the user was trusted to contain the correct email address to which to send the email. Most recent discussion on securityfocus.com of a formmail exploit -- again, this exploit does not work against the newest version of formmail.pl. But back to the original question there does appear to be a tool which checks for potential vulnerabilities like having formmail installed. sample log from a survey by that tool posted at securityfocus.com. Note that the tool is checking for all sorts of misconfigurations and scripts known to have (or have had) vulnerabilities.I link to that discussion not because I think it is ethical to use such tools on remote systems under any circumstances (i.e. no matter the legality, I feel this sort of thing is akin to walking through neighborhoods checking for unlocked doors-- just don't do it), but because the logs posted are educational with respect to many potential vulnerabilities any of us doing web work might encounter.	[reply]
Re: Re: Probed for formmail.pl by jepri (Parson) on Nov 23, 2001 at 12:06 UTC
Yes, the vulnerbility is real. No, we aren't going to write it down here. If you are really interested, set the script up on your own machine and see how hard it is to break. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]
(ichimunki) Re x 2: Probed for formmail.pl by ichimunki (Priest) on Nov 24, 2001 at 21:00 UTC
I forgot to address part of your question, and wanted to make sure I did. First, you can't validate the referer field. It is set by the client and could easily be forged to the correct value. Taint checking is not a cure-all. It won't keep your program from doing insecure things if your program is designed to do insecure things (like acting as an open relay). It will keep you from accidentally sending user data to the shell or a system process where it can cause a lot of damage-- but it is limited by the logic you use to detaint input. If formmail.pl were truly an open gate to rooting a box, then why hasn't it been done on a large scale? The script is everywhere on low-cost hosting services, and has been around a while. We'd forget all about IIS and Outlook for a while, I'd think...	[reply]
Re: Probed for formmail.pl by mortis (Pilgrim) on Nov 26, 2001 at 19:52 UTC
A team I worked with had to deal with the issue of our form mailer being used for spam. We took the approach of md5 summing the addresses in the HTML page with some data only known on the web server and verifying the md5 sum of the to address when the form was posted. This allowed the HTML authors to use whatever to addresses they wanted to, and us to only maintain a single form mailer CGI. The mailer warns you about potential exploit attempts, and provided us with some interesting results. If anyone is interested, code based on the techniques from the earlier work is available here: http://www.bgw.org/projects/perl/mailer.cgi.txt Kyle	[reply]
Re: Probed for formmail.pl by BrentDax (Hermit) on Nov 28, 2001 at 10:44 UTC
One fun possibility is to have the script tie the person's request up--say, printing spaces out once a second for an hour. =cut --Brent Dax There is no sig.	[reply]


Syntactic Confectionery Delight
	PerlMonks