Re: Attempt at cgi mail exploit

2005-08-31 Thread Jason Stephenson 
The funny thing, to me,  is that I see stuff like this in my mail logs 
all the time, both at my day job and at home:


2005-08-30 00:20:36 SMTP protocol violation: synchronization error 
(input sent without waiting for greeting): rejected connection from 
H=[81.12.246.11] input="POST / HTTP/1.0\r\nContent-Type: 
text/plain\r\nContent-Length: 833\r\n\r\nRSET\r\nHELO sightz.com\r\nMAIL 
FROM:<[EMAIL PROTECTED]>\r\nRCPT TO:<[EMAIL PROTECTED]>"


(I changed the email addresses to protect the [not so] innocent.)

Apparently, someone learned to program HTTP and figures everything is a 
web serverNot so clever hackers. (And, yes that is coming in on port 
25.)


BTW, trying to exploit cgi mail programs is an old trick. I've seen 
failed attempts at posting to common cgi mail programs on my server for 
ages. What's funny is that I use my own, custom contact form and cgi 
(written in C, no less). It only sends email to me, and it requires that 
all fields be filled out. The reason it's funny is that I've taken the 
name of a common cgi mail program, swapped the first and second 
syllables of the name, and removed the file extension (which is 
meaningles on *NIX anyway). Of course, no one has ever used it to send 
me mail, except for myself during testing. :(


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Attempt at cgi mail exploit

2005-08-31 Thread Bill McGonigle 

On Aug 31, 2005, at 21:54, Ted Roche wrote:

My question: how likely is it that the IP address in my Apache logs is 
correct? I'd like to report the abuse to the ISP, but there is no 
point if it is spoofed.


TCP is hard to spoof because you have to complete the 3-way handshake 
so the victim computer needs to know where to send the SYN-ACK packet.  
If the source on the SYN packet is spoofed the connection never comes 
up.  With randomized sequence numbers, it's very hard to interpose 
oneself into the conversation, especially if you're not on a shared 
media subnet (unswitched 10-BaseT, e.g.).


In this case, it's unlikely that you're seeing a spoofed IP address.  
For ICMP and UDP DoS attacks, you can almost guarantee they're spoofed. 
(we thought everbody would be doing egress filtering by now)


whois [EMAIL PROTECTED] gives a valid abuse address.

-Bill

-
Bill McGonigle, Owner   Work: 603.448.4440
BFC Computing, LLC  Home: 603.448.1668
[EMAIL PROTECTED]   Mobile: 603.252.2606
http://www.bfccomputing.com/Pager: 603.442.1833
Jabber: [EMAIL PROTECTED]  Text: [EMAIL PROTECTED]
RSS: http://blog.bfccomputing.com/rss

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss