Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache Logs/FormMail2.pl

From: "ScoutMirim" <scoutmirim () sapo pt>
Date: Mon, 29 Sep 2003 17:58:55 +0100
Yes, my server has already been hit by them (spammers).

Formmail is a vunerable script that can be downloaded from
http://www.scriptarchive.com/formmail.html

According to http://ist-socrates.berkeley.edu:7309/web_sec/page26.html, this
script was download 2 million times.

As it is vulnerable, including latest version, some spamers made a tool to
automaticaly search for vulnerable web servers. Maybe we should start making
a list of IP's and send spam abuse reports.

The problem of this script is that it accepts to send mails to every e-mail
on the net

Further information:
http://www.securiteam.com/securitynews/Formmail_pl_Can_Be_Used_As_An_Open_Mail_Relay.html


ScoutMirim



----- Original Message ----- 
From: "N407ER" <n407er () myrealbox com>
To: <security-basics () securityfocus com>
Sent: Saturday, September 27, 2003 3:25 PM
Subject: Apache Logs/FormMail2.pl



Hi,

I've been seeing a lot of stuff like the following in my Apache logs,
what appears to be a bot trying generic scriptnames to look for
vulnerabilities. Some are things like test.php, but most are
FormMail.pl, formmail.php, etc. They appear to be spammers, as they are
targeting specifically formmailers and not, say, PHP Nuke pages. Plus, I
assume that if someone were to try to break into my box, he wouldn't do
it so obviously.

What strikes me as odd is that now I am seeing chunks of scans all
within a few seconds from multiple independent IPs. They are too closely
spaced to be a coincidence, which leaves me thinking that the spammers
are actively breaking into people's machines and searching for hosts
they can use as remailers from those machines. Anyone have any
experience with this?

Thanks,


64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
HTTP/1.0" 404 214
64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl
HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-"
24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214
24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-"
65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214
65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-"
198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214
198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-"
198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214
198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST
/cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-"




---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: