The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent Formmail Attack

Discussion in 'E-mail Discussions' started by claudio, Feb 16, 2005.

  1. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi Guys

    I have a customer and his domain is always attacked by some ips trying to access a formmail.cgi script and we have none on our server...

    but its inconvenient because its increasing ingoing traffic and it can overload apache and ever stop it....

    I already have apf and apf antidos on in this server

    is there any trick to make apache auto-ban every formmail attempt?

    thanks

    Claudio :confused:
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    replies please

    Nobody has a clue?

    thanks

    Claudio
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Is there any formmail.cgi script on your server?
    If yes, delete them. You also need to secure your server by installing APF, BFD, and mod_security.
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Hello Claudio,
    why don´t you try to redirect the formmail.cgi call to another directory, this way you can redirect every attemp to an html page.

    - Sergio.
     
  5. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi Andy and Sergio

    Sorry but i just saw your posts today

    First of all YES Andym i already use apf, ad, bfd, lsm, and more...

    I have no formmail.cgi scripts on my server

    what i need is to autoban or stop all cgi attemps because some "evil" guys are trying to get this formmail.cgi in a customer's domain and even with no formmail it waste some traffic and also httpd processing...

    Sergio

    How can i redirect all cgi attempts to a directory and use this custom error page html?

    Thanks a lot

    Claudio
     
  6. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    How about just use mod_security with Apache and create a rule to toss requests for the formmail scripts?

    ?
     
  7. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    You could also try tweaking the BFD rules file for Apache to recognize those attempts and block the IP's for you from your entire box.

    If you can't tell how, you might try posting that request to the rfxnetworks guys.

    The rules files for BFD are simple scripts you can run from a command line if you substitute the variables for the values.

    a line might look like this in the rules...

    ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w error | grep -w user | grep -iwf $PATTERN_FILE | awk '{print$8":"$10}' | tr -d ']'`

    ARG_VAL is what's returned to BFD from the command.

    The $TLOGP is a program in BFD dir.
    $LP is the Apache error log /usr/local/apache/logs/error_log.
    $TLOG_TF is the domain logs. The BFD rules file is setup for ensim, but may work for Cpanel, or someone that can understand the shell code in the rules file can easily modify it to work with Cpanel domain logs.

    You can cat what's in the pattern file in the main BFD directory. The grep command just checks for each line in the pattern file. You can just put the path to the pattern file to replace $PATTERN_FILE.

    So to test the match, I just ran this from the rules file to see what came out.

    grep -w error /usr/local/apache/logs/error_log | grep -w user | grep -iwf ../pattern.auth | awk '{print$8":"$10}' | tr -d ']'

    If you don't get any output, you can pick apart the |'s so start with the grep -w error /usr/local/apache/logs/error_log and see what comes out. Then keep adding parts of the command until you figure out what needs to be tweaked.

    I haven't worked on this much, I just have the pop, imap, exim and ssh working. I don't know enough shell scripting to figure it out on my own.

    Chuck
     
  8. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    You got the point

    Hi

    first just to complete i have mod_security installed in my httpd.conf

    Chuck you got the point

    this is what i am looking for...

    Your idea regarding use BFD together to auto-ban this folks is great

    Everyday my /var/log/httpd/audit_log is full of formmail attempts even without

    any formmail in my server

    all attempts are direct to a unique domain and it's owner said its a germany network that is trying to spam through his domain :confused:

    well i will take a look because i am not an perl scripting expert and if i have many doubts i will call rfxnetwork guys to help me....

    Best Regards an Thank You

    Claudio
     
  9. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Still Remains

    Hi my server is well configured (very well) according to my data center engineers

    but i am receiving a constant 200 kbits non-stop for two days

    and my mod security audit_logs are full of ips trying to access a customer domain formmail script and all of then are denied

    i just want to tweak bfd or mod_security (most probably BFD) to apf - d their ips...

    i know it cant be enought or make many difference but it really sucks...

    any "good soul" that knows how to do it please reply back

    Thanks a lot

    Claudio
     
  10. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    You know its really Amazing but 3 years and 1 month has passed since i posted this and that time i was not used to *nix boxes and today using the same tips of this thread i figured out a solution for this issues

    thanks Chuck!:eek:

    Claudio
     
  11. n3tph4t

    n3tph4t Active Member

    Joined:
    Jan 31, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Why not post the results of your efforts to save others three years? I'd be interested to see how you worked around it.
     
  12. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    ok sorry for the delay now i subscribed to this thread...

    the work around was:

    first you set a cron -e to call a shell command:

    Code:
    grep -w Request /etc/httpd/logs/audit_log | awk '{print$2}' > list
    this way you "grep" the word Request in the Mod_Security Log (apache 1)

    then you use awk (it is a magic program) to print second word that is the ip (you need to fit this to the key word also use $3 $1 to find the ip depending on the issue you are working in

    after you get this list ip by ip each one in a single line was not a big deal to use a perl script (remember to chmod 755 or 777 the script before calling for instance /etc/script/./script.pl)

    Code:
    #!/usr/bin/perl
    
    open (IN, "</etc/httpd/logs/list") or die "apf_deny: $!";
    my @data = <IN>;
    close (IN);
    chomp @IN;
    
    $tit = "alert";
    
    foreach my $line (@data) {
    
    print $line;
    system ("/etc/apf/./apf -d $line")
    
    }
    
    
     {system("echo $_ | mail -s $tit root@root.com")}
    to prevent pop 3 flood on old cppop boxes:

    schedule a cron to execute this command (place in a txt file)

    Code:
    
    tail -100 /var/log/maillog | grep -w host | awk '{print$8}' | tr -d 'iphost=' > /var/log/list | /var/log/./antiflo.pl
    then again using the perl you can create a script to count flood lines and use a threshold let's say 50 then it includes at apf -d and restart cppop as usually when it is flooding is needed, sometimes it tries to add twice the same ip i had made another scripts for firewalls to windows and there i made 2 arrays where i compare both to add just once each ip

    but apf doesn't accept the same rule twice instead of windows ipsec police so this way it works

    Code:
    #!/usr/bin/perl
    # You may need to change this path to /usr/local/bin/perl
    
    $tit = "CPPOPAlert";
    $ip = 0;
    $mark = 0;
    open(INFILE,"/var/log/list") or die("cannot open input file");
    
    $count = 0;
    
    $ip = 0;
    
    
    foreach $_ (<INFILE>) {
    
    
    if ($ip == $_){
    
    $count = $count +1;
    
    #print $ip;
    }
    else
    {
    $count = 0
    }
    
    
      if ($count > 50) {
    system ("/etc/apf/./apf -d $ip");
    $mark = 1}
    
    
    $ip = $_;
    
    }
    
    
    if ($mark == 1) {
    system ("/scripts/./restartsrv_cppop");
    system("echo $ip | mail -s $tit root")
    }
     
    #12 claudio, May 18, 2008
    Last edited: May 18, 2008
  13. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
    You could also just install the ConfigServer Firewall.

    It is automatically configured to deny the IPs of any user which hits mod_sec more than 5x in a certain number of seconds.

    And it is much easier to install/configure.

    :D Bailey
     

Share This Page