Attempt at cgi mail exploit
Jason Stephenson
jason at sigio.com
Wed Aug 31 22:56:02 EDT 2005
The funny thing, to me, is that I see stuff like this in my mail logs
all the time, both at my day job and at home:
2005-08-30 00:20:36 SMTP protocol violation: synchronization error
(input sent without waiting for greeting): rejected connection from
H=[81.12.246.11] input="POST / HTTP/1.0\r\nContent-Type:
text/plain\r\nContent-Length: 833\r\n\r\nRSET\r\nHELO sightz.com\r\nMAIL
FROM:<account at server>\r\nRCPT TO:<account at server>"
(I changed the email addresses to protect the [not so] innocent.)
Apparently, someone learned to program HTTP and figures everything is a
web server....Not so clever hackers. (And, yes that is coming in on port
25.)
BTW, trying to exploit cgi mail programs is an old trick. I've seen
failed attempts at posting to common cgi mail programs on my server for
ages. What's funny is that I use my own, custom contact form and cgi
(written in C, no less). It only sends email to me, and it requires that
all fields be filled out. The reason it's funny is that I've taken the
name of a common cgi mail program, swapped the first and second
syllables of the name, and removed the file extension (which is
meaningles on *NIX anyway). Of course, no one has ever used it to send
me mail, except for myself during testing. :(
More information about the gnhlug-discuss
mailing list