Re: Apache Logs/FormMail2.pl
From: ScoutMirim (scoutmirim_at_sapo.pt)
Date: 09/29/03
- Previous message: Lee Seidman: "RE: protect MS Windows 95/98/Me"
- In reply to: N407ER: "Apache Logs/FormMail2.pl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "N407ER" <n407er@myrealbox.com> Date: Mon, 29 Sep 2003 17:58:55 +0100
Yes, my server has already been hit by them (spammers).
Formmail is a vunerable script that can be downloaded from
http://www.scriptarchive.com/formmail.html
According to http://ist-socrates.berkeley.edu:7309/web_sec/page26.html, this
script was download 2 million times.
As it is vulnerable, including latest version, some spamers made a tool to
automaticaly search for vulnerable web servers. Maybe we should start making
a list of IP's and send spam abuse reports.
The problem of this script is that it accepts to send mails to every e-mail
on the net
Further information:
http://www.securiteam.com/securitynews/Formmail_pl_Can_Be_Used_As_An_Open_Mail_Relay.html
ScoutMirim
----- Original Message -----
From: "N407ER" <n407er@myrealbox.com>
To: <security-basics@securityfocus.com>
Sent: Saturday, September 27, 2003 3:25 PM
Subject: Apache Logs/FormMail2.pl
> Hi,
>
> I've been seeing a lot of stuff like the following in my Apache logs,
> what appears to be a bot trying generic scriptnames to look for
> vulnerabilities. Some are things like test.php, but most are
> FormMail.pl, formmail.php, etc. They appear to be spammers, as they are
> targeting specifically formmailers and not, say, PHP Nuke pages. Plus, I
> assume that if someone were to try to break into my box, he wouldn't do
> it so obviously.
>
> What strikes me as odd is that now I am seeing chunks of scans all
> within a few seconds from multiple independent IPs. They are too closely
> spaced to be a coincidence, which leaves me thinking that the spammers
> are actively breaking into people's machines and searching for hosts
> they can use as remailers from those machines. Anyone have any
> experience with this?
>
> Thanks,
>
>
> 64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
> HTTP/1.0" 404 214
> 64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
> HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
> 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
> 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
> 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
> 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
> 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
> 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
> 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214
> 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
> /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Lee Seidman: "RE: protect MS Windows 95/98/Me"
- In reply to: N407ER: "Apache Logs/FormMail2.pl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
