The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FunWebProducts Spyware Bitches

Discussion in 'General Discussion' started by prettydumb, Sep 1, 2007.

  1. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I have an MS-DOS executing on one of my domains every 5 minutes which produces about 1000 kb of a file as shown below from one report:

    [31/Aug/2007:22:28:00 -0500] "POST /cgi-bin/arp/arp-formcapture.pl HTTP/1.1" 200 335 "http//www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818; FunWebProducts)"

    Note: I altered url so it wouldnt be a hyperlink here.

    I have found that "FunWebProducts" is a spyware program.

    "/cgi-bin/arp3/arp3-formcapture.pl" is an old autoresponder program from autoresponse plus i purchasec years back. The autoresponder program is pulling from a different domain which I own, but referring to another domain http//xxx.com/ as shown above).

    I do not have a problem terminating either the domain name or the autoresponse software.

    My question is, by analyzing the info above, which should I do? delete the auto program, or delte the xxx domain name altogether?

    Whats my name?
     
    #1 prettydumb, Sep 1, 2007
    Last edited: Sep 1, 2007
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Are you saying you have an exploitable perl program on your system that anyone can use to create spam and you want to know if you should delete it so it stops spamming thousands of other people around the world ???.

    :rolleyes: Hmmm.... what to do ?????
     
  3. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    It appears to only be sending locally.

    I found this site defining the error to the "t", but removal described for a browser.


    liamdelahunty.com/tips/fun_web_products.php

    scanspyware.net/info/FunWebProducts.htm

    you have been an awesome help to me with every question I've had.

    Thanks
     
  4. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I see you were making fun of me.

    Didn't you read my name?

    How to do?
     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    You are making fun of yourself, I would really recommend less self-deprecation and instead try to see if you can fix these little things yourself. I mean you know that the script is bad, you know you should not have it open for others to use it and yet you dont know what to do?. This isnt hard, get rid of the script or figure out what you can do to hide it or get an update.
     
  6. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I thought you knew my name.

    I don't want to argue. I want to learn.

    Everyone started somewhere.

    Anyone have instructions or where to find?
     
  7. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    If all you want to do is kill that one perl program just go to the account that it is installed in. If you dont remember where and cant dig deeper into the logs then do a

    find /home -name "arp-formcapture.pl" -print

    which will show the exact location(s) of the file. What you do with it at that point is up to you.

    (ps - get a book on unix/linux, especially learn about grep,awk,sed,find, locate, which,cat, head, tail and some little editor like vi, the rest will come naturally over time.)
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    #8 Infopro, Sep 1, 2007
    Last edited: Sep 1, 2007
  9. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
  10. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Just so you understand where I am coming from, I did not jump on here with this question without some investigation.

    From this path /cgi-bin/arp/arp-formcapture.pl,


    I had renamed the folders to /cgi-bin/arp-deadman/arp-formcapture-deadman.pl

    I wait 5 minutes and the dos command is back.

    I do not understand what you are attempting to show me with the urls http://www.castlecops.com/a6170-This...nwebpages.html
    http://www.google.com/search?hl=en&q=formcapture.pl+

    I have arp manuals and the problem lies on my server, not on my personal computer.

    What I am missing?

    How would this url apply? http://www.castlecops.com/a6170-This_is_about_funwebpages.html

    Can you clarify?

    It appears you did not read my post reply below when I said "It appears to only be sending locally. I found this site defining the error to the "t", but removal described for a browser." liamdelahunty.com/tips/fun_web_products.php

    You especially missed mu bragging about how helpful you are. However, I think you're back! :)

    The curious part to me about this is why is the arp file referencing the domain xxx in the error?

    Here it is again:

    [31/Aug/2007:22:28:00 -0500] "POST /cgi-bin/arp/arp-formcapture.pl HTTP/1.1" 200 335 "http//www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818; FunWebProducts)"

    Seems to play a role, but am unsure how the dos command keeps coming back even after renaming unless the files are scattered about the server. If this is the conclusion, I need to know instructions on removing from server, much like described for browser removal.
     
  11. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Who are you talking to?

    Good lord! Is this a show for you?
     
  12. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I am trying to help you but its not working. I think your first post on this thread is what is confusing and its probably best if someone else try to decipher it.
     
  13. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    "he's" trying to belittle a young person who "he" feels is not as smart as "us".

    what do yall think?

    i guess "he" only feels as smart as the number of post "he" has.

    what does everyone else think?

    If he could learn to read with jumping to conclusions and belittling people, we would sooner see who is less dumber.


    --------------

    Do me favor and stay away from my questions unless you are really here to help.

    I'm not here to be a part of your show!
     
  14. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Go back and read my replies, I was giving you actual help you could use. You got upset when I replied to another person about confusion over what you had, the windows binary or the perl program. If you want people to help you stop acting dumb.

    In this same thread you say "you have been an awesome help to me with every question I've had.", so I dont know why you changed your mind.

    I will make a mental note to not reply to your posts from now on, so you can stop worrying.
     
  15. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    here's how you help?

    Thanks
     
  16. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    And another....


    How about reading the question first before replying

    I'm done.

    Please delete this stupid thread
     
  17. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
  18. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    He InfoPro, he's insulting you too. Since I didnt make that post. :rolleyes:
     
  19. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    well , ..i have a tendency to compete with the rest of us dumb asses when I haven't had enough to drink and my dad tought me that the only dumb question is one you are too dumb to ask ..or maybe he said no brain, no pain ...anyway here is a question.

    WTF is a MS-DOS program/command running on your cPanel server?????????!!!!!!!!!!!! :eek::confused:
     
  20. prettydumb

    prettydumb Active Member

    Joined:
    Aug 25, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6

    EXACTLY!

    You guys are obviously the pros
     

Share This Page