News Letter Archive July 2006 - Formmail Attack (Headline)

Update (April 20, 2006):

Over a hundred new IP's have been added to the list. One of the new tactics is for a banned IP to repeatedly use a single script OR to randomly try to open pages (produces a 404 error in the error logs). Since this almost mimics a search engine or a legitimate user, unblocking seems in order. Once unblocked, these IP's make a quick run for the old funform.cgi or the former guestbook.cgi scripts.

Update (December 2, 2005):

Being highly curious, five of the Dangerous IP's listed below were unblocked last week. In less than three minutes all had made multiple hits against the server, looking for the old funform.cgi script. Since IP blocking (and newer locked-down scripts) work so well, the Dangerous IP's section may be updated from time to time. The updating will end when this story hits the Archive.

Update (November 26, 2005):

Obviously, going through every script on the site that uses formmail or SMTP and making sure they have no possible input in the header section of any potential mail helps, but everyone felt more agressive control might be warranted.

Because the mail hackers kept playing with the new secure scripts, a list of their IP's was gathered. The new script logs the IP of the script user. In addition, error log reviews showed certain other odd patters in which it appeared that people were attempting to inject odd data into other inputs of just about every script in the site. These oddities left an IP in the error logs to add to the list. The experts all said that IP blocking would have no effect, but the Pacoima Ranch webdevelopers totally disagree. It really works quite well. The mailhackers simply go away once they realize your scripts are all locked down and that you IP their activities.

Dangerous IP's
-------------------------
12.23.84.11
24.117.119.125
24.13.219.12
24.130.181.116
24.147.83.202
24.158.7.121
24.185.221.1
24.188.155.79
24.209.227.178
24.215.218.89
24.22.72.240
24.232.167.22
24.250.250.61
24.50.216.127
24.92.143.89
24.98.165.194
24.98.46.180
38.119.66.205
58.158.45.71
58.239.179.35
58.24.29.168
59.87.56.180
59.87.115.85
59.92.136.52
59.92.156.232
60.45.225.210
61.117.161.85
61.128.100.116
61.175.135.52
61.178.140.26
61.181.15.77
61.185.219.235
61.222.78.198
61.23.149.68
61.24.56.186
61.26.142.234
61.58.44.68
62.116.40.112
62.139.175.102
62.163.12.31
62.163.17.230
62.177.206.53
62.194.13.231
62.21.65.242
62.93.34.155
63.223.83.158
63.247.85.10
63.247.91.34
64.110.74.244
64.20.33.131
64.202.123.207
64.233.231.27
64.34.145.195
64.34.176.170
64.60.91.218
64.9.37.66
65.172.251.131
65.11.26.238
65.208.70.178
65.28.152.208
65.66.41.5
65.98.58.250
66.135.37.205
66.166.127.226
66.17.15.154
66.196.90.238
66.207.120.227
66.225.237.59
66.236.250.150
66.249.65.72
66.37.233.84
66.54.205.20
66.56.145.225
66.83.100.42
66.92.199.139
67.160.199.150
67.172.8.91
67.183.225.187
67.79.104.113
68.230.22.107
68.112.92.91
68.195.133.80
68.3.232.105
68.50.215.79
68.67.133.191
68.72.56.133
68.87.64.100
68.87.64.102
68.87.64.103
68.87.64.104
68.87.64.105
68.87.64.106
68.87.64.117
68.87.66.101
68.87.66.148
68.87.66.149
68.87.66.150
68.87.66.151
68.87.66.152
68.87.66.154
68.87.71.180
68.87.71.182
68.87.71.183
68.87.71.184
68.87.71.185
68.87.72.164
68.87.72.165
68.87.72.166
68.87.72.167
68.87.76.148
68.87.76.149
68.87.76.151
68.87.76.152
68.87.76.153
68.87.77.180
68.87.77.181
68.87.77.184
68.87.77.185
69.122.254.185
69.143.38.187
69.118.118.63
69.120.176.136
69.183.162.149
69.192.27.199
69.239.146.84
69.241.214.134
69.31.80.114
69.31.80.114
69.50.200.50
69.57.158.58
69.59.189.156
69.72.139.138

70.191.83.209
70.150.45.187
70.162.114.20
70.168.144.168
70.178.165.72
70.187.25.186
70.70.64.174
70.81.8.9
70.84.171.10
70.84.193.98
70.86.12.194
71.212.34.111
72.2.16.19
72.21.49.2
72.232.12.138
72.9.236.50
80.249.72.180
80.1.224.13
80.124.153.40
80.179.116.156
80.191.141.196
80.22.148.72
80.55.78.186
80.58.205.35
80.68.89.10
80.77.86.240
81.12.69.6
81.164.197.141
81.180.134.195
81.29.68.162
81.57.109.99
82.116.145.28
82.121.29.106
82.127.102.35
82.166.226.50
82.193.15.174
82.230.209.19
82.234.49.14
82.236.188.44
83.103.44.199
83.238.103.226
84.40.23.88
84.94.148.140
84.96.94.10
85.140.51.5
85.18.195.82
85.185.224.219
85.74.35.253
86.138.235.132
86.203.151.247
86.51.0.131
125.241.110.18
125.244.128.2
125.250.191.34
128.208.6.200
128.95.1.189
130.226.178.130
142.161.167.106
147.110.61.39
147.202.65.178
148.202.105.246
150.188.4.221
151.198.230.253
152.163.178.143
152.66.230.53
163.30.98.129
168.143.127.1
168.160.228.156
168.243.153.241
168.243.206.1
193.136.241.251
193.145.81.254
193.173.118.56
193.194.84.198
193.224.97.232
193.65.36.4
193.95.80.10
194.250.151.179
194.68.63.142
195.117.19.39
195.156.160.250
195.171.114.199
195.175.37.8
195.22.188.142
195.225.63.178
195.245.185.18
195.245.185.18
196.25.255.210
196.40.31.138
196.40.43.218
196.7.0.160
198.145.84.170
198.185.134.90
198.54.202.210
199.222.139.219
199.33.64.71
200.118.2.218
200.118.2.219
200.118.2.220
200.139.152.210
200.164.111.122
200.21.231.8
200.222.115.235
200.222.68.38
200.30.79.126
200.36.112.92
200.43.108.10
200.71.56.109
200.79.75.147
201.130.146.228
201.0.4.148
201.144.24.110
201.21.22.240
201.224.76.80
201.224.79.89
201.226.91.58
201.232.68.50
201.252.94.83
202.58.85.6
202.134.119.9
202.147.161.18
202.153.34.130
202.155.14.223
202.160.165.210
202.4.48.236
202.86.196.9
203.106.131.131
203.116.214.2
203.131.171.170
203.149.3.115
203.162.27.87
203.169.38.3
203.172.183.67

203.199.178.78
203.222.154.165
203.31.48.3
203.66.138.80
203.83.75.26
204.38.36.89
205.234.145.223
205.241.33.10
206.176.124.66
207.25.251.21
208.180.1.147
209.128.101.244
209.165.131.32
209.172.61.101
209.241.144.111
209.253.173.175
210.0.200.2
210.105.224.196
210.14.4.82
210.17.238.165
210.197.63.223
210.2.199.42
210.202.28.168
210.22.159.83
210.221.216.201
210.59.94.80
211.125.156.246
211.152.35.23
211.154.21.52
211.177.235.15
211.179.196.76
211.230.89.31
211.41.50.133
211.45.98.114
211.54.146.17
211.74.144.221
211.95.73.145
212.122.76.212
212.138.47.15
212.138.64.176
212.138.64.179
212.202.160.25
212.26.46.8
212.31.234.125
213.114.195.69
213.140.15.129
213.144.122.12
213.184.200.100
213.220.249.246
213.225.83.199
213.225.83.35
213.241.84.74
213.245.139.54
213.249.155.240
216.175.62.169
216.101.252.204
216.12.208.215
216.126.141.38
216.127.74.35
216.17.169.21
216.7.179.20
217.10.190.34
217.170.53.17
217.52.206.31
217.52.253.69
217.56.108.227
217.57.178.237
217.98.20.195
218.124.84.226
218.118.168.113
218.181.120.26
218.11.207.244
218.124.48.120
218.133.238.84
218.152.129.144
218.180.216.161
218.191.74.57
218.229.244.229
218.248.1.13
218.50.14.154
218.63.252.219
219.54.148.66
219.109.65.212
219.113.58.14
219.124.255.167
219.14.96.140
219.149.233.179
219.168.116.110
219.168.46.79
219.176.30.151
219.180.24.74
219.181.156.89
219.205.236.167
219.208.200.130
219.232.9.180
219.24.158.67
219.240.12.186
219.249.47.211
219.252.140.213
219.31.8.51
219.39.46.102
219.44.100.122
219.48.221.7
219.51.52.192
219.51.80.10
219.93.174.102
220.0.95.61
220.15.56.127
220.119.244.43
220.130.92.131
220.15.152.144
220.41.224.87
220.56.40.109
220.95.88.97
221.250.120.76
221.86.137.44
221.39.151.60
221.10.55.226
221.112.144.13
221.134.89.10
221.18.208.197
221.19.36.42
221.19.96.71
221.241.113.232
221.241.144.203
221.244.104.83
221.248.49.16
221.252.138.116
221.253.110.188
221.43.248.33
221.78.204.71
221.85.203.30
221.92.116.42
222.120.168.60

Original story (September 16, 2005):

For years, Pacoima Ranch had managed to escape the attention of the server exploit crowd. That all changed this month. The News Letter had all its stories laid in and partially ready to go, when a slew of server daemon messages started coming in about bounced mail for undeliverable addresses. Being a good developer team, the assistance of Google was sought out.

Envelope-to: webmaster@pacranch.com
Delivery-date: Thu, 15 Sep 2005 15:22:12 -0400
To: webmaster@pacranch.com
From: webmaster@pacranch.com
Subject: Website Correspondence
Message-Id: <E1EFzJ8-0005JO-K3@um-232.shine-dns.net>
Date: Thu, 15 Sep 2005 15:22:06 -0400

message: pnlhzivl@pacranch.com
name: pnlhzivl@pacranch.com
Content-Type: multipart/mixed; boundary="===============0934077919=="
MIME-Version: 1.0
Subject: c0fafef2
To: pnlhzivl@pacranch.com
bcc: PeiCanteenMc@aol.com
From: pnlhzivl@pacranch.com

This is a multi-part message in MIME format.

--===============0934077919==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

yhsgbp
--===============0934077919==--

email: pnlhzivl@pacranch.com
REMOTE_ADDR: 210.0.200.2
HTTP_USER_AGENT:
DATE: +`````````` ------15:22:6 2005-9-15

To the left is a fairly typical internal bounce. It has a truly nonexistent and random address (pnlhzivl@pacranch.com) as the receiver. The domain name is for the server. More important is the bcc: line. In the dozens of bounces (internal and external) there is invariably a very real AOL mail address. Repeated attempts to get AOL to respond to this have fallen on deaf ears. The developer team has tested these AOL addresses and they do seem to be real. Their apparent purpose is to let the exploiter know if a message can be sent. If they get a message, they then move in on the server and begin sending out thousands of spam.

Obviously, blocking them is very important. Failing to close such a hole in ones server security can get you on various mailing blacklists. In a truly ironic twist, Pacoima Ranch Offices (pacranch.com) got blocked for incoming messages by AOL for a few days. They can block

you, but don't hold your breath about a response of any kind over their users' illegal mail hacks, no one we researched has ever heard back from AOL.

The first thing to do is to carefully examine any CGI (.cgi), Perl (.pl), ASP or PHP script that can send mail. The most common problem scripts are Matt's FormMail (formmail.pl; formmail.cgi), BigNoseBird's FunForm (funform.pl; funform.cgi), and BigNoseBird's All_In_One (never used it, exact name of script uncertain). All of these have been around since the late 90's, and all are very popular. Most come in more than one name and are the base for virtually all but a few mailer scripts, whether in CGI (Perl), PHP, ASP, or ColdFusion.

Now here's the part that gets them all (and you) into trouble. They let the sender and the pagecode decide too much. Depending on which one of the above scripts is used (or yours is based on), the pagecode determines the subject, the to:, the cc:, the bcc:, and the from:. All a mailhack has to do is inject an extra line here and there with malicious intent. Think spam with 500 addresses in comma-delineated format. And it's very easy to do. You can go at it straight forward using /n/ (Unix for linebreak) or any of several different methods. If your form mailer lets the sender determine the above referenced parts of the mail, you can (and will) get mail hacked.

Just shop around for a script that hardcodes the potential security risk parts into the server script rather than letting the sender do it. The one selected to replace funform.cgi in Pacoima Ranch pages was the form2email.cgi script. It leaves nothing exposed for potential spammers to mailhack.

As regards the rumors that the current mailhack is actually a nuisance virus, it definitely has that look to it. It tries three times to mailhack a server before giving up, then returns about once every twelve hours thereafter. It is strongly suspected by most people looking at this problem, though, that the virus is letting certain spammers with bcc:'s at AOL know which servers have secure scripts and which do not.

from July 2006 - Formmail Attack

© copyright 1999, 2003, Pacoima Ranch Offices. All rights reserved.