Spam attack alert <important!>

kosmo

Well-Known Member
Verifed Vendor
Aug 12, 2001
400
0
316
All over Europe
Hi all,

this belongs to \"Backend/Scripts\" but it is too serious to hide it there.

While studying the logs of the main account of my dedicated server, I noticed some kind kind of automat scanning for /cgi-bin/formmail.pl (I am referring to the old Analog reporting):


66: : Jan/13/02 10:19 AM: /cgi-bin/formmail.pl?email=&[email protected]&subject=P80+&lt;my_ip_here&gt;+35


54: : Nov/ 2/01 9:03 AM: /cgi-bin/[email protected]&[email protected]&subject=&lt;domain_name_here&gt;/cgi-bin/formmail.pl&msg=Hiya


35: : Jan/ 7/02 2:42 AM: /cgi-bin/[email protected]&subject=&lt;another_domain_name_here&gt;/cgi-bin/formmail.pl&[email protected]&msg=testing

30: : Oct/11/01 11:33 AM: /cgi-bin/[email protected]&[email protected]&subject=&lt;some_other_domain_name_here&gt;/cgi-bin/formmail.pl&msg=scanning

28: : Oct/31/01 6:59 PM: /cgi-bin/[email protected]&[email protected]&subject=&lt;yet_another_domain_name_here&gt;/cgi-bin/formmail.pl&msg=scanning

and so on, and so on (hundreds of them).

Some of them directly try to send:
13: : Jan/ 1/02 1:47 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=Download The Napster Of Porn!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:26 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=FREE XXX PORN!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
13: : Jan/ 1/02 12:29 AM: /cgi-bin/[email protected]&[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]&subject=View My Webcam!&message=Want+instant+access+to+thousands+of+high+quality+adult+movies?++We\'ve+got+celebrities,+lesbians,+hardcore,+fetish,+gay,+or+whatever+you+want.++You+don\'t+even+need+a+credit+card,+just+a+connection+to+the+internet.+http://209.202.218.10/dc/dialer+-+Click+here+to+download+the+napster+of+hardcore+entertainment!


I have then tried one of the last lines with /cgi-sys/FormMail-clone.cgi AND IT WORKS! The spam is being sent through my own server! So, it is a matter of weeks, maybe months and the spammers WILL know, that they just have
to replace /cgi-bin/formmail.pl with /cgi-sys/FormMail-clone.cgi and they will be able to spam throu any CPanel machine.

As far as I know, there is a more secure version of formmail, checking if the requesting document is stored on the server before proceeding with sending the email. Anybody knows for sure? Has anybody else noticed this kind of spam attack?

kosmo
 

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
This one is old news...some punk kid has released a win32 client that scans IPs and domains for certain versions of FormMail.pl and others and looks for the hole. I caught 3 of these bastards. I tail my mainlog and kept seeing 20-30 emails spit out every 2 seconds. I tracked down the IP and pinged it and found it was a 56K dialup account on Earthlink. I then blocked his class and threw a 80mbit ping at his IP which caused him to log off and back on. I flooded his dial up box so bad for 15 minutes that no one there could get through. But that was the stupid part. I just wanted to frustrate him. He kept trying so I called Earthlink ..got a tech and he watched the little bastard for 10 minutes with me. Then he shut him down. Turns out the emails linked him to some demented porn domain that had been shut off as well.

All this stopped as soon as I upgraded my Matt\'s box wide script as well as telling all my clinets to update theirs or I would fine then for Spam :) But you are right the problem is in the clone as well.
 

Brad

Well-Known Member
Aug 16, 2001
229
0
316
So then whats the best way to address this right now?