Results 1 to 4 of 4
  1. #1
    ABW Veteran Mr. Sal's Avatar
    Join Date
    January 18th, 2005
    Posts
    6,795
    Beware, your sites could be next on their list.

    I have an script on my site that will send me an email when someone is screwing around some directories and I just received this 50 emails from different IP's and they all where looking for any combination of email script names, can anybody here guess why they're doing that, maybe they want to send me some email and they can't use my contact page.


    occurred on sat jul 10 01:00:14 2004

    when the url /cgi-bin/contactus.pl was requested - by a user at ip address 209.188.66.29
    when the url /email.cgi was requested - by a user at ip address 213.193.131.122
    when the url /cgi-bin/tellafriend.pl was requested - by a user at ip address 62.72.116.93
    when the url /cgi-bin/referral.cgi was requested - by a user at ip address 165.139.173.129
    when the url /cgi-bin/mailto.pl was requested - by a user at ip address 200.23.167.2
    when the url /cgi-bin/tell/tell.cgi was requested - by a user at ip address 164.109.154.28
    when the url /dp_tellafriend/scripts/tellafriend.cgi was requested - by a user at ip address 213.161.229.84
    when the url /cgi-bin/cgiemail/mailtemp.txt was requested - by a user at ip address 150.176.202.4
    when the url /cgi-bin/af.cgi was requested - by a user at ip address 207.14.106.1
    when the url /cgi-bin/mailto.cgi was requested - by a user at ip address 64.14.144.85

    when the url /cgi/formmail.pl was requested - by a user at ip address 66.68.229.28
    when the url /cgi/contact.cgi was requested - by a user at ip address 216.11.71.2
    when the url /cgi-bin/tellafriend.cgi was requested - by a user at ip address 194.212.229.228
    when the url /cgi-bin/mailer.pl was requested - by a user at ip address 81.208.58.202
    when the url /formmail.cgi was requested - by a user at ip address 62.72.116.93
    when the url /cgi-bin/friends.cgi was requested - by a user at ip address 207.68.98.5
    when the url /cgi-bin/mailer.cgi was requested - by a user at ip address 216.128.69.140
    when the url /cgi-bin/contactus.cgi was requested - by a user at ip address 12.36.50.131
    when the url /cgi-bin/bformmail.pl was requested - by a user at ip address 216.173.1.218
    when the url /cgi-bin/email.pl was requested - by a user at ip address 216.173.1.218

    when the url /cgi-bin/email.pl was requested - by a user at ip address 216.128.69.140
    when the url /cgi-bin/formmail.cgi was requested - by a user at ip address 67.122.183.22
    when the url /cgi-bin/npl_mailer.cgi was requested - by a user at ip address 63.227.76.25
    when the url /cgi-bin/formmail was requested - by a user at ip address 62.221.250.123
    when the url /cgi-bin/email.cgi was requested - by a user at ip address 146.101.66.159
    when the url /cgi-bin/ezformml.cgi was requested - by a user at ip address 209.36.127.4
    when the url /cgi-bin/mailer/mailer.cgi was requested - by a user at ip address 201.128.69.176
    when the url /cgi-bin/sender.pl was requested - by a user at ip address 66.43.173.226
    when the url /cgi-bin/mail.pl was requested - by a user at ip address 207.14.106.1
    when the url /cgi-bin/feedback.pl was requested - by a user at ip address 195.176.252.131

    when the url /cgi-bin/mailform.cgi was requested - by a user at ip address 213.92.107.35
    when the url /cgi-bin/form.pl was requested - by a user at ip address 66.193.160.126
    when the url /cgi-bin/cgiemail/contact.txt was requested - by a user at ip address 216.11.71.2
    when the url /form-bin/deliver was requested - by a user at ip address 82.35.11.183
    when the url /contact.cgi was requested - by a user at ip address 12.14.65.2
    when the url /cgi-bin/feedback.cgi was requested - by a user at ip address 61.220.255.81
    when the url /formmail.pl was requested - by a user at ip address 216.157.225.36
    when the url /cgi-bin/mail.cgi was requested - by a user at ip address 148.245.113.98
    when the url /cgi/formmail was requested - by a user at ip address 66.83.23.217
    when the url /cgi-bin/contact.pl was requested - by a user at ip address 216.231.56.77

    when the url /cgi-bin/form.cgi was requested - by a user at ip address 63.227.76.25
    when the url /cgi-bin/fmail.pl was requested - by a user at ip address 213.30.4.138
    when the url /mail.cgi was requested - by a user at ip address 213.253.27.20
    when the url /cgi-bin/formmail.pl was requested - by a user at ip address 81.223.123.84
    when the url /cgi-bin/formmail.cgi was requested - by a user at ip address 81.210.123.250
    when the url /cgi-bin/mailform.pl was requested - by a user at ip address 63.160.254.40
    when the url /cgi-bin/contact.cgi was requested - by a user at ip address 208.18.144.13
    when the url /cgi-bin/formmail.pl was requested - by a user at ip address 62.72.116.93
    when the url /cgi-bin/sendform.cgi was requested - by a user at ip address 66.166.111.48
    when the url /cgi-bin/email.cgi was requested - by a user at ip address 146.101.66.159
    ===================

    Sal.

  2. #2
    Resident Genius and Staunch Capitalist Leader's Avatar
    Join Date
    January 18th, 2005
    Location
    Florida
    Posts
    12,817
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR> can anybody here guess why they're doing that, <HR></BLOCKQUOTE>

    They want to use your server to send spam out of.

    Some email scripts have security holes, and spammers send out bots looking for sites that use those scripts.

    If they find one that uses an unsecure script, then BLAMMO, they hack in through the security hole and start sending their spam right from your own email script.
    There is no knowledge that is not power. ~Hemingway

  3. #3
    ABW Veteran Mr. Sal's Avatar
    Join Date
    January 18th, 2005
    Posts
    6,795
    Thanks Leader, I hope I'm safe there since the only email script that I use for my contact form, I think is safe so far.

    Sal.

  4. #4
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    It's seen reported by the SANS institute here and here. It seems that it is a sophisticated, highly distributed probe on a large number of servers from a very large number of (presumably trojanised) source PCs.

    Normally I'd suggest blocking the IP addresses of anyone probing your site like that, but I suspect that it would be pretty fruitless in this case as there are probably thousands of zombie PCs in use.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  5. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Another crook merchant joined CJ: freegolfgift.net aka Warrior Custom Golf
    By LearnAbout in forum Commission Junction - CJ
    Replies: 8
    Last Post: February 26th, 2007, 01:36 AM
  2. What to do with a Spammer?
    By HardwareGeek in forum Midnight Cafe'
    Replies: 15
    Last Post: May 4th, 2005, 05:54 PM
  3. I might have found a crook - lendingtree.com
    By Heyder in forum Midnight Cafe'
    Replies: 2
    Last Post: November 16th, 2001, 06:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •