2002511

	CGI formmail
advICE :Intrusions : 2002511

FAQ

Oh my gosh, I'm being HACKED!!!

How do I report the hacker to my ISP?

I'm seeing lots of attacks, is this normal?

Summary
An attempt to execute formmail, which is a program with known vulnerabilities.

Details
The intruder is scanning the web server on the system looking for potential vulnerabilities in the "dynamic content generation" portion of the web server. This feature of the web server runs a separate program to create web pages when users access the site.
There are hundreds of such programs that have security bugs in them. In this instance, a hacker is browsing the web server looking for one of these programs. Most of the hacking you read about in the news is due to hackers exploiting these programs and "defacing" the web site.
More information can be found under cgi-bin exploits.
Defense
If this script is visible to the outside world, you should remove it from the directory.
Remove all dynamic content that isn't absolutely necessary to run the web site. Double-check the scripts that you do use in order to verify that they won't permit a security breach.

more information

BugtraqID: 1187 Matt Wright FormMail Environmental Variables Disclosure Vulnerability
BugtraqID: 1091 NBase-Xyplex EdgeBlaster DoS Vulnerability: This product crashes when scanned for FormMail by CyberCop Scanner.
FormMail homepage
CVE-2000-0411 FormMail CGI script allows remote attackers to obtain environment via the env_report parameter.
CVE-1999-0172 FormMail CGI program allows remote execution of commands.
CVE-1999-0173 FormMail can be used by web servers other than the host server that the program resides on.

parametric information

URL The suspicious URL.

accessed Indicates whether the URL was successfully accessed.

code The HTTP return code.

arg The argument to the GET command (if any).

 
Version appeared:

CGI formmail