The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FormMail.pl spam hole is back

Discussion in 'E-mail Discussions' started by rhood, Aug 7, 2003.

  1. rhood

    rhood Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    We're having users report that the FormMail.pl spam hole is back. I have now had to remove it on one server. Is anyone else having this problem, and are DarkORB aware of it?

    cPanel.net Support Ticket Number:
     
  2. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    If you removed FormMail.pl it will come back in the next update.

    you should chmod the files to 000 and lock them (chattr +i) .. this will prevent them from being access or replaced.

    cPanel.net Support Ticket Number:
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We are getting messages that are similiar to the one seen a few months back, when a spammer would test the formmail to see if it is exploitable. Is the formmail script actually exploitable, or is someone just checking to see if it has been patched?

    cPanel.net Support Ticket Number:
     
  4. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    yep, just got a shit load of message delivered to my box. Its back! now I gotta go and update.

    cPanel.net Support Ticket Number:
     
  5. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    The odd thing is, http://www.any-domain.com/cgi-sys/formmail.pl is being used... while there is no file with that name in the domain space! That means spammers could actually use that address to send out mail from any domain (although I haven't tried it out yet).

    Another odd thing: When you go to http://www.any-domain.com/cgi-sys/formmail.pl (any domain on the server) you can actually see the message that comes up when the script is installed.

    ls -a /usr/local/cpanel/cgi-sys/ displays 5 different file names:

    -rwxr-xr-x 4 root wheel 556360 Jul 9 01:27 formmail.cgi*
    -rwxr-xr-x 4 root wheel 556360 Jul 9 01:27 FormMail.cgi*
    -rwxr-xr-x 1 root wheel 556360 Jul 9 01:27 FormMail-clone.cgi*
    -rwxr-xr-x 4 root wheel 556360 Jul 9 01:27 formmail.pl*
    -rwxr-xr-x 4 root wheel 556360 Jul 9 01:27 FormMail.pl*

    It looks like it may be time to close down some more holes... ;)
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Why dont you chmod 000 file1 file2 file3 file4 etc. Replace with the list above. Then you wont have to worry about it. Also, you should chattr +i file1 file2 file3 file4 after that so cpanel cannot re-enable them.

    cPanel.net Support Ticket Number:
     
  7. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    We just disable the formmail completely and let our users know their options for formmails, found it to be the best way :)

    cPanel.net Support Ticket Number:
     
  8. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Done already!
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The formmail script has to have argument passed to it. If no arguments are passed to it, it will show the default page.

    How is everyone determining if spammers are using their formmails to send spam?

    cPanel.net Support Ticket Number:
     
  10. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    can you let me know how you disable it? Do you just remove it? Is there an option in WHM to disable?

    cPanel.net Support Ticket Number:
     
  11. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Read mmkassem's post further up (aka Mahmoud). ;)
     
  12. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I have seen attempts to use FormMail but no email was successfully sent to the aol address that's listed in the email. The mail only went to the users account, it was not relayed anywhere else.

    cPanel.net Support Ticket Number:
     
  13. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
  14. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
  15. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Over there you advised to:

    chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    Are you saying that these 4 cgis are also vulnerable?
    helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi
    Are these never used by Cpanel?
     
  16. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    You haven't noticed they are no longer an option in the Control Panels? :)

    Being as they are old and no longer updated and much better scripts are available, I felt it was better to shut them down. To each their own though.

    cPanel.net Support Ticket Number:
     
  17. rhood

    rhood Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I can confirm for sure tha the hole is back -- in the past few days, we have had many reports of people receiving bounced messages sent from these scripts, across different servers.

    cPanel.net Support Ticket Number:
     
  18. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    I see attempts to send spam with formmail but they don't get off the server.
     
  19. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Does your maillogs confirm that the email was actually sent to the AOL address the spammer used?

    cPanel.net Support Ticket Number:
     
  20. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We have received some of the message back, and some of our client have. They have written us inquiring if it is an exploit. We told them that we did not think it was, just someone seeing if it was exploitable. I don't think there is any new exploit.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page