Security Basics mailing list archives
Re: Apache Logs/FormMail2.pl
From: "ScoutMirim" <scoutmirim () sapo pt>
Date: Mon, 29 Sep 2003 17:58:55 +0100
Yes, my server has already been hit by them (spammers). Formmail is a vunerable script that can be downloaded from http://www.scriptarchive.com/formmail.html According to http://ist-socrates.berkeley.edu:7309/web_sec/page26.html, this script was download 2 million times. As it is vulnerable, including latest version, some spamers made a tool to automaticaly search for vulnerable web servers. Maybe we should start making a list of IP's and send spam abuse reports. The problem of this script is that it accepts to send mails to every e-mail on the net Further information: http://www.securiteam.com/securitynews/Formmail_pl_Can_Be_Used_As_An_Open_Mail_Relay.html ScoutMirim ----- Original Message ----- From: "N407ER" <n407er () myrealbox com> To: <security-basics () securityfocus com> Sent: Saturday, September 27, 2003 3:25 PM Subject: Apache Logs/FormMail2.pl
Hi, I've been seeing a lot of stuff like the following in my Apache logs, what appears to be a bot trying generic scriptnames to look for vulnerabilities. Some are things like test.php, but most are FormMail.pl, formmail.php, etc. They appear to be spammers, as they are targeting specifically formmailers and not, say, PHP Nuke pages. Plus, I assume that if someone were to try to break into my box, he wouldn't do it so obviously. What strikes me as odd is that now I am seeing chunks of scans all within a few seconds from multiple independent IPs. They are too closely spaced to be a coincidence, which leaves me thinking that the spammers are actively breaking into people's machines and searching for hosts they can use as remailers from those machines. Anyone have any experience with this? Thanks, 64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-" 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-" 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-" 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-" 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/" "-"
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Apache Logs/FormMail2.pl N407ER (Sep 29)
- Re: Apache Logs/FormMail2.pl ScoutMirim (Sep 29)