Analysis
The 1st entry into the form was just a harmless probe to see if there was any form validation being performed or if it would just accept anything.
This keeps it under the radar of any application level filters that may be running, since a jpg is a commonly accepted extension.
Since the attacker found that the form did not do any form validation, it was time to exploit the application.
The exploit that they used, which is really unknown at this point, makes a call back to the maclicious website and runs the cgi script. Which in turns performs the actual exploit against the application. If I had to guess it was probable a sql exploit.
To prevent such attacks there is a multitude of ways to do so.
1. The programmers should of have made better use of/used form input validation. This simple measure would thwart most input validation attacks.
2. Use an application level filter such as URLScan if this is running on IIS.
3. Using SSL will help in preventing sniffed sessions on that site. You can also make it so that the pvt side site (naughty/nice db) is only accepting requests from certain networks.
E-mail on the client side
1. Virus Protection Software should be running not only on the desktop but at the mail gateway.
2. If using outlook, all e-mail should be read in the restricted zone.
3. To further mitigate it, you can have that network in a dmz where there is no web access allowed. That way if a url is embedded in a message body, the end user would never be able to retrieve it.
LordInfidel
