How to find ip of spammers in log


#1

hello all,

in my logs at mydomain.com/stats, i have started to see requests for /cgi-bin/formmail.cgi and all permutations of the spelling of formmail…

what i cant seem to locate is the offending ip’s that have requested these files…

do i need a log reader to connect ip to request, and/or how can i do this with the built in log reader?

thanks,
parker.


#2

You’ll need to check the raw log files. They should be located in ~/logs/yourdomain.suffix/http/access.log You can then grep it for what you want, something like:

cat access.log | grep formail

should get you what you want.

A word of advice however, there really is little point of going after these people. The IP addresses will probably resolve to comprimised machines used by hackers/spammers to target their next victim. The person that owns that machine might not even know it’s comprimised or it’s probably located in a far away land somewhere.

As long as you don’t have a copy of formail then you sshould be fine. And please don’t install it if you haven’t. What you can do, if you want formail’s functionaility is to download the nms replacements, probably found on sourceforge.net or elsewhere. Or you can use Dreamhost’s own formail service found in your web panel.

  • wil

#3

hiya,

thanks for the nfo and advice.

im more curious than anything to see where all requests are coming from. it’s not causing a problem thus far, so any reporting on my part would more than likely be fruitless… and in vein… i do believe as well…

cya,
parker


#4

Reporting the attempt is still a good idea if you have the time. A good number of the requests are probably coming from unsecured http proxies, however.

You can do a lookup on the IPs at http://geektools.com/whois.php or from the command line using the whois server “whois.geektools.com”.