The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How i took care of formmail searchers! Laugh!

Discussion in 'E-mail Discussions' started by sexy_guy, Apr 24, 2003.

  1. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    First of all, i disabled all formmail in /cgi-sys/ and told all my resellers to inform their clients that formmail is no longer an option. I found tons of ips still bombing my site looking for the illusive formmail script so this is what i did.

    pico /etc/httpd/conf/httpd.conf

    Add the following entries in you http.conf

    #Log Formmail abusers.
    alias /cgi-sys/formmail.pl /usr/local/apache/htdocs/getlost.html
    alias /cgi-sys/Formmail.pl /usr/local/apache/htdocs/getlost.html
    alias /cgi-sys/FormMail.pl /usr/local/apache/htdocs/getlost.html
    alias /cgi-sys/formmail.cgi /usr/local/apache/htdocs/getlost.html
    alias /cgi-sys/Formmail.cgi /usr/local/apache/htdocs/getlost.html
    alias /cgi-sys/FormMail.cgi /usr/local/apache/htdocs/getlost.html

    Add the same entries for /cgi-bin/ as above.

    In my cgi-bin, I have a real formmail.php script running that will record the ip and send an automatic report the isp. So if they continue searching my system in cgi-bin they will be banned for sure and reported. Here is what those reports look like.

    Date / Time = 04/24/03 10:35:26 PST/PDT (GMT -0700)

    Abuse address listed at SpamCop.net: abuse@embratel.net.br

    Host = 200.230.113.4

    IP Number = 200.230.113.4

    Referrer =
    http://GAMERCHICKZ.com

    Request URL = www.gamerchickz.com/cgi-sys/formmail.pl

    ********************

    But anyway continuing....

    restart apache

    Then in /usr/local/apache/htdocs create a file called getlost.html

    Include the following in getlost.html.

    <html>
    <head>
    <title>Formmail idiots warning!</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body bgcolor="#FFFFFF" text="#000000">
    <div align="center">Thank You for reporting yourself!</div>
    <div align="center"> <br>
    </div>
    <center>
    <h2>Go away Stupid, this is not a formmail script!!</h2>
    </center>
    <div align="center">
    <p><strong>But thanks anyway for reporting your self!<br>
    <br>
    <font color="#FF0000">Ip recorded!</font></strong></p>
    <p><strong>The next time you try that, we will report you to your isp and block
    your ip completely!!</strong></p>
    </div>
    </body>
    </html>

    Save, your done.

    Anyone who tried to load /cgi-sys/formmail from any of your user sites will get my lovely msg.

    OPTIONS: You could also modify the above to redirect them to any site you want. :D I have a few sites in mind. A nice f-u site would be nice. Use your imagination. You could use a redirectmatch directive to redirect them to any site you want.

    :cool:
     
    #1 sexy_guy, Apr 24, 2003
    Last edited: Apr 24, 2003
  2. TioChaharbaghi

    Joined:
    Apr 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    hey I clicked on your formmail link and it say i was reported uhoh.. im an idiot lol

     
  3. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I love it. Good Job.
     
  5. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    While I understand what you are trying to do it is not a good idea IMO.

    What you are getting hit with now is a script or robot doing probes and by adding a page for it to go to, it is going to return a success http 200 to the owner of that script. That is going to put your server on the list for when he decides to unlease the real thing and start a major spam campaign.

    If left as a 404 error he is likely to take your server off the list and go away and leave you alone since it is a non success. If it was a human doing the probe each time then what you did may have some effect but I think you are opening yourself up to allot more of this later on.

    Something to consider.
     
  6. Uneeeq

    Uneeeq Member

    Joined:
    Feb 4, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    We have solved our formmail issue on our win servers by simply renaming formmail.cgi to someothername.cgi and mass find replace in users web pages

    this takes care of any automated searches from the kiddies and still gives our customers the opportunity to use the formmail script

    99.99% of formail searches are automated and changing the name of the script gets rid of these buggers

    I am complete newbie to Nix and Cpanel - can someone give me nudge into the right direction?

    I can (barely) SSH as root
    I am blonde but willing to learn

    Can anyone help?

    1)
    Is there a way to search with SSH to scan all files in /home
    for the string "cgi-sys/FormMail.cgi" -- or better yet REPLACE "cgi-sys/FormMail.cgi" with "sgi-sys/SmartMail.cgi" ?? this would take care of mass find and replace in users web pages so our users would not have to do any work

    2) where in Cpanel template - which file? serves the message telling the user to link to http://theirdomain.com/cgi-sys/FormMail.Cgi ? we would edit that page to tell them to link to http://theirdomain.com/cgi-sys/SmartMail.cgi

    then we simply rename the script and are safer!

    thanks

    Genie
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    For question number 1 we use a perl script called swap that does a global search and replace. Works very well.

    It can be found at http://www.cgiware.com
     
  8. Uneeeq

    Uneeeq Member

    Joined:
    Feb 4, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Thank you David, I will give it a try, looks like the perfect solution

    I already found an answer to my question 2
    /usr/loca/cpanel/base/frontend

    cheers
    Genie
     
  9. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    Genie

    To do the change of formmail.cgi to smartmail.cgi


    cd /usr/local/cpanel/cgi-sys


    touch smartmail.cgi


    cp formmail.cgi smartmail.cgi


    chmod 755 smartmail.cgi


    chgrp wheel smartmail.cgi


    Disable all versions of formmail.cgi


    chmod 0 FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl


    chattr +i FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl



    As far as changing the cpanel themes that is going to be hard because any changes you do will be over written and if you chattr them to protect from changes then your themes will not get updated when cpanel fixes bugs adds features etc.
    BUT the good news is that the script is never really installed on the site so all you have to do is add to the cpanel news that formmail.cgi is now called smartmail.cgi and to use it simply call smartmail.cgi in their forms instead of formmail.cgi so there is no real need to change the themes.
     
  10. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    alias /cgi-sys/formmail.pl /usr/local/apache/htdocs/getlost.html


    Your example of Alias did not work for me on any of my servers. Yes, I reloaded Apache each time I edited httpd.conf . I did get the Redirect directive to work, but not the Alias directive. I seem to have the mod_alias module, but it will not work.

    Strange?
     

Share This Page