Nicholas Posted October 28, 2003 Posted October 28, 2003 Unix Security: The FormMail Hack Is your Web server being used as a Spam Mail relay? It could be, and it doesn't even need a daemon listening on the SMTP port. How's it done, and how do you prevent your system from becoming a target? Last year while monitoring our SMTP stats, I noticed an unusual amount of input traffic to our Webserver. Curiosity got the best of me, so I started looking at the Web logs only to find thousands of attacks targeted at a Perl script known as FormMail.pl. A short time later, I started getting thousands of bounced email and complaints from hundreds of people blaming me for acting as a Spam relay. I questioned how this could be, as my Web server wasn't even listening on the SMTP port… or so I thought. The FormMail.pl Hack A Spam hack many administrators are still not aware of, takes advantage of a well-known perl script called FormMail.pl, used for processing Web-based forms. Originally written by Matt Wright, the popular version 1.6 allows an attacker to send a malicious URL to the Web Server thus accessing the mail binary and turning your otherwise harmless machine into a spam Mail relay. Millions of Web servers around the world still use version 1.6, despite the release of newer more secure replacements. Until recently, FormMail.pl was considered reasonably safe due to the implementation of "Referrers" that [only] allowed access based on a specific ruleset of allowable domains and IP's. # Config code # @referers allows forms to be located only on servers # which are defined in this field. This security fix # from the last version which allowed anyone on any # server to use your FormMail script on their web site. @referrers=('net-security.org', 'another_domain.com'); A single machine could handle several thousand referrers at a time including Virtual Hosts. The script however, wasn't entirely perfect; not that it didn't work, but it was very easy to hack. Detecting the Hack The worst part of this exploit is the administrator usually won't suspect anything's wrong until he starts receiving mail informing him about his so-called Open Relay - that is, if he bothers to read it. The theory behind the hack is simple: The attacker sends a string to the web server, fools the server into processing the data, and relays via the internal mailer in a similar manner a regular form would be processed. Afterward, a mile long trail is usually left in the apache server log. Here's a typical example of a logfile after an attack: 198.139.155.7 - - [20/Mar/2002:18:43:57 -0700] "HEAD / HTTP/1.1" 200 0calnet21-109.gtecablemodem.com - - [20/Mar/2002:18:45:56 -0700] "GET /cgi-bin/FormMail.pl?email=bigpenis@aol.com&subject= Are%20You%20happy%20with%20yourself?&message=Are%20you%20 happy%20with%20your%20penis%20size?%20Click%20the%20 link%20below%20to%20learn%20how%0to%20increase%20 your%20size. Click%20Here &recipient=Cs0009@aol.com,Gotatude2@aol.com, Luv%20Kiyomi@aol.com,WhtKnigt73@aol.com, Bernie3456@aol.com,KasumiShadowKiy@aol.com, Morrellsthug87@aol.com, HTTP/1.1" 200 538 The string is obvious in its form. First the attacker sends the header with a "GET" to the path of FormMail, followed by his bogus return address, followed by the subject line, followed by the message that links you to a Web site, and finally a list of recipients at (in this case) aol.com. The server then writes code 200, indicating the transfer was successful along with an easily identifiable IP trail. How do they find you and what do they do? Attackers scan entire networks for hosts listening on port 80 with a "get" script that detects the presence of FormMail.pl. If you haven't already encountered this problem, it may be a good idea to rename the generic filename to something else, like ParseMail.pl or something not quite so obvious. Once your host has "scanned positive", you are then added to a database for later reference. In most cases the Spam process [itself] runs in stealth mode, this is to say two databases are used simultaneously and in random order: First the database containing the hostnames is processed at random, along with the addresses in the email database. This helps spread traffic over thousands of hosts at a time while ignoring a small percentage that may block the spam. Quote
terbear0007 Posted October 28, 2003 Posted October 28, 2003 Hello Nicholas, Rock Sign Thanks loads, for putting this up so we can learn from it. As you know, this happened to me and my site was shut down immediately. Thanks to Bill Kish, and others, the time was taken to go through my files and scripts and the "offending" script was removed. Again...I can't thank you enough! My site is back up and running beautifully again! I can't tell you how frustrating it is to have your site down due to someone spamming via a script in one of your folders! It's kind of like having somone break into your home. It really makes you appreciate decent people while heightening your distaste for those who would, without regard, jeopardize anyone. Not only do they not care if they have your website removed, they don't care if the hosting service is taken down too. For this reason, I sincerely urge you take the advice given and check to see if you could be next. And, Bill...don't think I don't realize that a web hosting service could be banned from operating due to not taking care of a website's spamming. Thank you for taking the time to evaluate the situation before completely banning my site. Can't say enough about Total Choice Hosting!! KUDOS!!! Terry Whitehead Decorativeartsbyjep.com Quote
stevevan Posted October 30, 2003 Posted October 30, 2003 I had my suspicions how this worked, but now we all know for sure. Great thread! Quote
terbear0007 Posted October 31, 2003 Posted October 31, 2003 Hello Nicholas, Since we have removed the bad script from my folder, I now have to find one which would replace the one I had so that people can sign up for our newsletter. I have gotten rather paranoid. Is there a php script that you know would not be able to be "compromised" that I could use? Thanks for any help. Terry Decorativeartsbyjep.com Quote
TCH-Andy Posted October 31, 2003 Posted October 31, 2003 Terry, Have a look at The Ultimate PHP Form Mail Script Andy Quote
terbear0007 Posted November 1, 2003 Posted November 1, 2003 Thanks Andy, I am working on it now. I'm not a "pro" at php, but I think I'll get it. It looks like a great script. Appreciate the help. Terry Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.