The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Formmail.pl exploit again...

Discussion in 'E-mail Discussions' started by websnail, Aug 7, 2003.

  1. websnail

    websnail Registered

    Joined:
    Aug 17, 2001
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Can I please ask that the cgi-sys/formmail.pl script be removed once and for all from the CPanel installation because we've had lord knows how many "fixes" for it and every ***** time someone always pops back around and finds yet another way to use it to send out spam.

    It's getting a mite tiresome...

    So, once again please kill, stamp, burn, drown... the thing...

    thank-you

    cPanel.net Support Ticket Number:
     
  2. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Do you have any proof of this? I see continued attempts but none are successful.

    cPanel.net Support Ticket Number:
     
  3. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Message we just received...

    >Envelope-to: TYQVgR3@gameon.net
    >To: TYQVgR3@gameon.net
    >From: TYQVgR3@gameon.net
    >Subject: http://www.gameon.net/cgi-sys/formmail.pl (210.242.69.242:80)
    >bcc: cac719@aol.comcRi DRl88BG8 pOSQVBq ka 762 TqWSKXcY7U345OyAZYDMRa
    >cz UzIu 6a P caX yQqa4VlEeHKbL3k4mnZrr
    FFFFCCabcdefghijklmnopqrstuvqxy.
    >Date: Thu, 07 Aug 2003 12:30:19 -0500
    >
    >body:
    >cRi DRl8
    >8BG8 pOSQVBq ka 762 TqWSKXcY
    >
    >7U345OyAZYDMRa
    > cz
    > UzIu 6a P caX yQq
    >a4Vl
    >EeHKbL3k4mnZrr
    FFFFCCabcdefghijklmnopqrstuvqxy

    cPanel.net Support Ticket Number:
     
  4. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I have about a dozen of the above today.

    cPanel.net Support Ticket Number:
     
  5. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Re: Message we just received...

    This is an attempt -- did it actually go out to a mailing list? Did you grep your exim_mainlog to see if mail to cac719@aol.com was actually sent?

    cPanel.net Support Ticket Number:
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    For the love of god people quite your whining! CHMOD the bloody file and CHATTR it so its can't be used or updated! Really.. its that simple!

    cPanel.net Support Ticket Number:
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    LOL! I laughed so hard i almost feel of my chair. I agree with you!

    cPanel.net Support Ticket Number:
     
  8. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Well we shouldn't have to - why is Cpanel providing an exploitable script with thier software?

    I have remove this script from all my servers - but Cpanel should take it out of their software plain and simple - but why haven't they?

    I have received about 5 complaints about this since last night:


    Return-path: <mrpoz@tower1.sjservers.com>
    Envelope-to: 8@johnpoz.net
    Delivery-date: Thu, 07 Aug 2003 15:57:05 -0400
    Received: from mrpoz by tower1.sjservers.com with local (Exim 3.36 #1)
    id 19kqsj-0002vE-00
    for 8@johnpoz.net; Thu, 07 Aug 2003 15:57:05 -0400
    To: 8@johnpoz.net
    From: 8@johnpoz.net
    Subject: http://www.johnpoz.net/cgi-sys/formmail.pl (200.74.139.19:80) bcc: cac719@aol.com 7 dLSdU Yeq1z6nt zpV JG 7c 7gqqD DmOWkG EaFI tqK e q 7H6 CbcKD QqP Jv73qnDbD g j9B EMZgO ÿFFFFCCabcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRS.
    Message-Id: <E19kqsj-0002vE-00@tower1.sjservers.com>
    Date: Thu, 07 Aug 2003 15:57:05 -0400

    cPanel.net Support Ticket Number:
     
  9. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    That's an attempt to exploit the old hole, it'll be unsucessful as the newline which should appears before bcc: in the subject: header in order to be successful has been stripped and therefore the header just contains the bcc:

    Subject: http://www.johnpoz.net/cgi-sys/formmail.pl (200.74.139.19:80) bcc: cac719@aol.com 7 dLS

    cPanel.net Support Ticket Number:
     
  10. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The script is no longer exploitable. That doesn't mean people won't continue trying.

    cPanel.net Support Ticket Number:
     

Share This Page