Results 1 to 8 of 8
  1. #1
    Full Member
    Join Date
    January 18th, 2005
    Location
    UK
    Posts
    273
    I have got a new site and just noticed in the logs that someone is trying to "POST" data to formmail.php

    The browser info is

    "Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"

    Looking the IP address location up I get
    Location : CALIFORNIA, SAN LEANDRO
    ISP: VERIO INC

    (I had expected this to be someone in eastern europe or Asia)

    Now is this innocent or are our spamming friends now looking for PHP and CGI scripts they can hijack.

    So do I ignore this or are there any lesson to be learnt.

    I am already currently paranoid enough to stick my PHP scripts away in a folder of my own and usually have my own mail script with a name that is not obvious.

    Les

  2. #2
    MasterMike HardwareGeek's Avatar
    Join Date
    January 18th, 2005
    Posts
    3,810
    It's an attempt to spam not hijack.

  3. #3
    Newbie
    Join Date
    January 18th, 2005
    Posts
    38
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by Mikey The Geek:
    It's an attempt to spam not hijack. <HR></BLOCKQUOTE>

    Being not extremely computer literate...how does someone use your scripts to spam and how do you stop it?

  4. #4
    Affiliate Miester my2cents's Avatar
    Join Date
    January 18th, 2005
    Location
    far far away....
    Posts
    2,161
    I get hunderds of attempts to send spam thru forms...

    the best advice I can give on this subject is if you have a form script on your website, is to name it something obscure....

    also be sure you have a secure form script... many that are freely available are NOT secure... meaning... they are easy it use for spamming...

    Joe
    ++++++++++++++++++++++++++++++++++++++++++
    that's my2cents, 'cuz I'm a legend in my own mind....

  5. #5
    Member
    Join Date
    January 18th, 2005
    Posts
    69
    There are tools available that basically have a database of known "vunerable" scripts or leftovers from product/script installations,...etc
    cgi-bin, formmail is notorious for that.

    I thought about mentioning one of those products available,
    but since I don't want to put the milk next to the cat PM me for more info.
    Use it wisely and check your own site(s).


    Breezing

  6. #6
    Sgt. Joe Friday frank3iii's Avatar
    Join Date
    January 18th, 2005
    Posts
    441
    I just checked my logs last night. So far this month there have been 174 attempts to get to any form script in any folder .cgi

    My preference is to never have a .cgi directory. I have used various names that most spammers would not think of trying, yet still give me the capabilities I need.

    I have collected a large list of IP's involved it these attempts. Wrote to my host about it. They said not to worry overly much.

    The thing about these attempts is that they are syncronized, and very fast (like 20 different attempts from different IP's in 6 seconds). Must be an automated spam feeder on steroids.

    Frank
    "Just the facts, Ma'am." Sgt. Joe Friday, Dragnet

  7. #7
    Full Member
    Join Date
    January 18th, 2005
    Location
    UK
    Posts
    273
    Well, I guess from all the above that I am right to be paranoid.

    Les

  8. #8
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    I've seen this too and did some reading up on it.

    These formmail probes are interesting, as Frank says they appear to come from different IP addresses in a very short time and look for a number of common scripts.

    What I understand is *actually* happening is that the originating IP addresses for these probes are faked. This means that they'll never get any return data directly, but that's OK because what they're trying to do is use formmail to send out a message to somewhere they CAN pick it up (probably a zombie PC or trojanised host). This all very much reduces the evidence trail.

    If you have an insecure version of formmail.php it can use it to send spam. Otherwise it's just an untraceable probe which you may as well ignore.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  9. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. PHP Site, needs help
    By CoolFire in forum Search Engine Optimization
    Replies: 6
    Last Post: February 1st, 2004, 11:05 AM
  2. FormMail Scripts
    By wendy in forum Spam
    Replies: 1
    Last Post: September 13th, 2002, 04:46 AM
  3. PHP Awards site
    By SpongeBob in forum Programming / Datafeeds / Tools
    Replies: 0
    Last Post: August 19th, 2002, 09:40 PM
  4. FormMail abuse
    By garystarling in forum Midnight Cafe'
    Replies: 9
    Last Post: February 26th, 2002, 02:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •