Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Apache Logs/FormMail2.pl

From: N407ER <n407er () myrealbox com>
Date: Sat, 27 Sep 2003 10:25:20 -0400
Hi,
I've been seeing a lot of stuff like the following in my Apache logs, what appears to be a bot trying generic scriptnames to look for vulnerabilities. Some are things like test.php, but most are FormMail.pl, formmail.php, etc. They appear to be spammers, as they are targeting specifically formmailers and not, say, PHP Nuke pages. Plus, I assume that if someone were to try to break into my box, he wouldn't do it so obviously.
What strikes me as odd is that now I am seeing chunks of scans all within a few seconds from multiple independent IPs. They are too closely spaced to be a coincidence, which leaves me thinking that the spammers are actively breaking into people's machines and searching for hosts they can use as remailers from those machines. Anyone have any experience with this? 

Thanks,
64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 64.75.38.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-" 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 24.158.62.19 - - [27/Sep/2003:09:30:21 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-" 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 65.213.141.66 - - [27/Sep/2003:09:30:23 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-" 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 198.182.96.17 - - [27/Sep/2003:09:31:35 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-" 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 198.182.96.17 - - [27/Sep/2003:09:31:55 -0400] "POST /cgi-bin/FormMail2.pl HTTP/1.0" 404 214 "http://www.mydomain.com/"; "-" 


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: