Apache Logs/FormMail2.pl

From: N407ER (n407er_at_myrealbox.com)
Date: 09/27/03

  • Next message: H Carvey: "Re: Looking for some ideas on VPN and Dial Up Users and Virus protection." 
    Date: Sat, 27 Sep 2003 10:25:20 -0400
To: security-basics@securityfocus.com

    Hi,

    I've been seeing a lot of stuff like the following in my Apache logs,
    what appears to be a bot trying generic scriptnames to look for
    vulnerabilities. Some are things like test.php, but most are
    FormMail.pl, formmail.php, etc. They appear to be spammers, as they are
    targeting specifically formmailers and not, say, PHP Nuke pages. Plus, I
    assume that if someone were to try to break into my box, he wouldn't do
    it so obviously.

    What strikes me as odd is that now I am seeing chunks of scans all
    within a few seconds from multiple independent IPs. They are too closely
    spaced to be a coincidence, which leaves me thinking that the spammers
    are actively breaking into people's machines and searching for hosts
    they can use as remailers from those machines. Anyone have any
    experience with this?

    Thanks,

    64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
    HTTP/1.0" 404 214
    64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
    HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
    24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
    24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
    65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
    65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
    198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
    198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
    198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
    198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
    /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: H Carvey: "Re: Looking for some ideas on VPN and Dial Up Users and Virus protection."

    Relevant Pages

    • Re: [opensuse] Why I dont upgrade often
      ... The NSA might be able to hack ... machines that have not had to pay out the prize money. ... and has the known over-run vulnerabilities patched. ...
      (SuSE)
    • Re: Bouncing E-Mails?
      ... I think it would be more logical to target the spammers who initally sent ... That's why he is crying about goods being confiscated. ... Does your company sue you for screwing up one of its machines, ... TOS/AUP documents provied by your ISP. ...
      (alt.computer.security)
    • Re: Trace IP
      ... > vulnerabilities. ... > The logs show 4 different IPs as REMOTE_ADDR ... Well first you should try to ping/traceroute the machines. ...
      (Security-Basics)
    • Re: More Vulnerable ATM Models
      ... These "vulnerabilities" are old hat. ... these ATMs (or machines like them) include: ... The ability to change displayed messages on screen and on printouts. ... Extra points if you can fit your shellcode on a magnetic stripe and get ...
      (Bugtraq)
    • Re: Newbie security question
      ... family wishes to use and keeping those programs up to date or finding safer ... Make sure there are no known vulnerabilities for the ... try to get them take an active role in protecting their own machines. ... Nobody can guarantee 100% protection so protect what is most important so ...
      (comp.security.firewalls)