Formmail.pl exploit again...

[websnail]

Can I please ask that the cgi-sys/formmail.pl script be removed once and for all from the CPanel installation because we've had lord knows how many "fixes" for it and every ***** time someone always pops back around and finds yet another way to use it to send out spam.

It's getting a mite tiresome...

So, once again please kill, stamp, burn, drown... the thing...

thank-you

cPanel.net Support Ticket Number:

[Curious Too]

Do you have any proof of this? I see continued attempts but none are successful.

cPanel.net Support Ticket Number:

[carock]

>Envelope-to: TYQVgR3@gameon.net
>To: TYQVgR3@gameon.net
>From: TYQVgR3@gameon.net
>Subject: http://www.gameon.net/cgi-sys/formmail.pl (210.242.69.242:80)
>bcc: cac719@aol.comcRi DRl88BG8 pOSQVBq ka 762 TqWSKXcY7U345OyAZYDMRa
>cz UzIu 6a P caX yQqa4VlEeHKbL3k4mnZrr
FFFFCCabcdefghijklmnopqrstuvqxy.
>Date: Thu, 07 Aug 2003 12:30:19 -0500
>
>body:
>cRi DRl8
>8BG8 pOSQVBq ka 762 TqWSKXcY
>
>7U345OyAZYDMRa
> cz
> UzIu 6a P caX yQq
>a4Vl
>EeHKbL3k4mnZrr
FFFFCCabcdefghijklmnopqrstuvqxy

cPanel.net Support Ticket Number:

[RandyO]

I have about a dozen of the above today.

cPanel.net Support Ticket Number:

[Curious Too]

Originally posted by carock
>Envelope-to: TYQVgR3@gameon.net
>To: TYQVgR3@gameon.net
>From: TYQVgR3@gameon.net
>Subject: http://www.gameon.net/cgi-sys/formmail.pl (210.242.69.242:80)
>bcc: cac719@aol.comcRi DRl88BG8 pOSQVBq ka 762 TqWSKXcY7U345OyAZYDMRa
>cz UzIu 6a P caX yQqa4VlEeHKbL3k4mnZrr
FFFFCCabcdefghijklmnopqrstuvqxy.
>Date: Thu, 07 Aug 2003 12:30:19 -0500
>
>body:
>cRi DRl8
>8BG8 pOSQVBq ka 762 TqWSKXcY
>
>7U345OyAZYDMRa
> cz
> UzIu 6a P caX yQq
>a4Vl
>EeHKbL3k4mnZrr
FFFFCCabcdefghijklmnopqrstuvqxy

cPanel.net Support Ticket Number:

This is an attempt -- did it actually go out to a mailing list? Did you grep your exim_mainlog to see if mail to cac719@aol.com was actually sent?

cPanel.net Support Ticket Number:

[haze]

For the love of god people quite your whining! CHMOD the bloody file and CHATTR it so its can't be used or updated! Really.. its that simple!

cPanel.net Support Ticket Number:

[sexy_guy]

Originally posted by iminteractive
For the love of god people quite your whining! CHMOD the bloody file and CHATTR it so its can't be used or updated! Really.. its that simple!

cPanel.net Support Ticket Number:

LOL! I laughed so hard i almost feel of my chair. I agree with you!

cPanel.net Support Ticket Number:

[ramprage]

Originally posted by iminteractive
For the love of god people quite your whining! CHMOD the bloody file and CHATTR it so its can't be used or updated! Really.. its that simple!

cPanel.net Support Ticket Number:

Well we shouldn't have to - why is Cpanel providing an exploitable script with thier software?

I have remove this script from all my servers - but Cpanel should take it out of their software plain and simple - but why haven't they?

I have received about 5 complaints about this since last night:


Return-path: <mrpoz@tower1.sjservers.com>
Envelope-to: 8@johnpoz.net
Delivery-date: Thu, 07 Aug 2003 15:57:05 -0400
Received: from mrpoz by tower1.sjservers.com with local (Exim 3.36 #1)
id 19kqsj-0002vE-00
for 8@johnpoz.net; Thu, 07 Aug 2003 15:57:05 -0400
To: 8@johnpoz.net
From: 8@johnpoz.net
Subject: http://www.johnpoz.net/cgi-sys/formmail.pl (200.74.139.19:80) bcc: cac719@aol.com 7 dLSdU Yeq1z6nt zpV JG 7c 7gqqD DmOWkG EaFI tqK e q 7H6 CbcKD QqP Jv73qnDbD g j9B EMZgO ÿFFFFCCabcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRS.
Message-Id: <E19kqsj-0002vE-00@tower1.sjservers.com>
Date: Thu, 07 Aug 2003 15:57:05 -0400

cPanel.net Support Ticket Number:

[andyf]

That's an attempt to exploit the old hole, it'll be unsucessful as the newline which should appears before bcc: in the subject: header in order to be successful has been stripped and therefore the header just contains the bcc:

Subject: http://www.johnpoz.net/cgi-sys/formmail.pl (200.74.139.19:80) bcc: cac719@aol.com 7 dLS

cPanel.net Support Ticket Number:

[Curious Too]

Originally posted by ramprage
Well we shouldn't have to - why is Cpanel providing an exploitable script with thier software?

The script is no longer exploitable. That doesn't mean people won't continue trying.

cPanel.net Support Ticket Number: