Formmail errors in logs


#1

Hello, I was just looking at my access.log and came across the below…
note where the aliases say ‘loser’ I changed it to that.

“GET /cgi-bin/formmail.cgi?recipient=loser@epimp.com&subject=http://www.twotuxcats.com/cgi-bin/formmail.cgi&body=JupZ&email=loser@aol.com HTTP/1.1” 404 2502 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”

My question is…what the heck is this about?? I had 8 of these today. It happened 2 different times today. Both of the times it called for the files 4 times at the exact same time. I hope that made sense :wink: Anyways, where the @aol.com address is, they are all different @aol.com addresses. I also had in my error log, 8 errors for either formmail.cgi or formmail.pl. All of this was done by the same IP which is 24.199.92.57. Oh and if it matters, I don’t have a cgi-bin or a cgi-local directory which someone is looking for these files in.

Can anyone explain what this is about? It just doesn’t seem right to me. Should I block the IP? Any ideas? :slight_smile: Thanks!!

I just checked the IP number and it’s Earthlink. So banning it isn’t an option since that’s who my ISP is. I would be blocked also, right?

Christy


#2

It’s someone trying to exploit a (non-existent) formmail script to send spam. If the scan had succeeded, this person would then send out thousands of spams using the insecure script.

Send the logs to abuse at everyone.net and to abuse at earthlink.net (earthlink for the IP address 24.199.92.57, everyone.net is a freemail provider that is the mail exchanger for epimp.com).


#3

Hi Will, I use DH’s formmail. Could that have anything to do with it? These attempts obviously didn’t work so I guess it’s not a issue :wink:

Will Earthlink know which of their users did this by the IP number. I mean do they have logs of what user had that IP at that time? This is one thing I just don’t get about IP’s. I know they change each time you log on (unless it’s static, right?) so I never understood the point of blocking them. Am I way off with my understanding of IP numbers?

Anyways, thanks so much for your help. I appreciate you checking out the providers for me :slight_smile: I’ll get the logs sent off.

Christy


#4

[quote]I use DH’s formmail. Could that have anything to do with it?

[/quote]

Naah - people just scan all the sites they can find to try and locate vulnerable scripts. A lot of servers have an alias for site.xxx/cgi-bin/ for a central group of scripts, and a lot of other sites use this convention. So people just try a bunch of different locations hoping to get lucky (unfortunately, many times, they do).

[quote]Will Earthlink know which of their users did this by the IP number. I mean
do they have logs of what user had that IP at that time?

[/quote]

They should. Most / all ISPs log this information (for obvious reasons). Also, almost all IPs in 24.x.x.x are cable modems, so if the IP isn’t static, it still probably doesn’t change very often.


#5

Hi Bob, You don’t have to worry about me doing the workarounds. I’m sure I’d screw it all up and get into a lot of trouble :wink: It really bothers me that someone was doing this to my site. Maybe it’s because it’s about cats and they don’t like them. LOL

I went and voted as you asked :slight_smile:

Christy


#6

What do you need us to do to get that formmail.php script working?

It looks like you should just be able to put an Alias in an .htaccess file in the document root for your domain and it would be fine.


#7

Well, Alias doesn’t make something run as a CGI. ScriptAlias does, but you shouldn’t use it for this.

Basically all the instructions tell you to do is set it up so that when someone requests domain.com/whatever/formmail.pl the webserver actually maps that request to domain.com/somewhere/else/formmail.php

It’ll still execute formmail.php as a “normal” (non-CGI) PHP script. Alias just maps URLs. It doesn’t change any sort of Apache mime-type handling.

And you can do both those Alias lines in an .htaccess file (you don’t have to do it in the VirtualHost in httpd.conf). .htaccess files get parsed with every request, you don’t have to restart the server.

Anyway, there’s nothing we need to do on our end (that I know of) to get that script to work. I’m not sure what the authors were smoking but we’re not doing anything weird to the Apache config that would make the script not work.