Night after night, at about midnight, I have my contact form probed by a hacker. It never works, but he keeps trying. So today my friend Leo Notenboom and I tweaked the code slightly so we could see exactly what he was trying to do, and lo and behold, as of a few minutes ago, here’s what we saw…
Name : voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: eyD(B837E426,name)LnMH\012\012jPaTdaIhWzo 8U8nRk nWmknKJwS77GVlB905OqGlQV8WKF2WPpPuQOUGkAZIso2qH jdM vPa3Uu9chcxV4xMqiGMZkAEyE\012\012.\012\012 Email: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: ESF(B837E426,email)\012\012clcgzcMbn23vfgKEfTgt7PJVD0mq3E\012\012.\012\012 Phone: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: aXWkFI(B837E426,phone) Yy\012\012ZFMWlTe0GZfVlymddZpuICrao4Jsbgx1rFT8ro09lWL\012\012.\012\012
An explanation is pretty important: Every time you see a \012 sequence, that’s a line feed. Normal form data doesn’t embed line feeds, particularly for values like ‘name’ and ’email address’, while this person – apparently voldak1@aol.com – is including them in an attempt to step outside of the form data to mail code on the backend CGI script. To make this more clear, here’s that same blob of data, with his input highlighted in red:
Name : voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: eyD(B837E426,name)LnMH\012\012jPaTdaIhWzo 8U8nRk nWmknKJwS77GVlB905OqGlQV8WKF2WPpPuQOUGkAZIso2qH jdM vPa3Uu9chcxV4xMqiGMZkAEyE\012\012.\012\012 Email: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: ESF(B837E426,email)\012\012clcgzcMbn23vfgKEfTgt7PJVD0mq3E\012\012.\012\012 Phone: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: aXWkFI(B837E426,phone) Yy\012\012ZFMWlTe0GZfVlymddZpuICrao4Jsbgx1rFT8ro09lWL\012\012.\012\012
Can you see the pattern here? If we unwrap this by replacing all the \012 sequences with line feeds, watch what appears for one of the otherwise cryptic values entered:
voldak1@aol.com
To: voldak1@aol.com
From: voldak1@aol.com
Subject: ESF(B837E426,email)
clcgzcMbn23vfgKEfTgt7PJVD0mq3E
What the subject and body values are is a mystery to me. Is it something encrypted? Or just junk as part of a test? This, by the way, is the same vulnerability that was exploited in the Formmail Vulnerability activity of the last few weeks.
What’s also interesting is that there’s a fourth field in the form that indicates the subject of the query, and it always has a value, even if it’s just the default “(choose a subject)”. But the information from this guy has a blank value. What does that tell me? That he’s using a program that scraped the form for field names (or guesses common names like ‘name’, ’email’, ‘address’, etc) and is using his own Web front-end to feed data to my form. So even if I embed secret information or confirmation information in my HTML form, he won’t see it.
Whichever it is, if you’ve got your own CGI scripts, this should be a wakeup call to you that it is genuinely important to be conscious of security and make sure you’ve got things locked down as tight as possible.
How hackers exploit insecure CGIs
Dave Taylor catches a hacker (OK, cracker) in the act
And in a remarkable demonstration of blind persistence, even after I’ve sent mail to the AOL chap, and even after he’s had night after night of zero results, he continues to try and hit my form with exactly the same attack (read that as “form data”) every night at around midnight. Always from the same three IP addresses.