Suspicious form submission


#1

Just would like to find out if anybody else has had this happen before… I rec’d an email to one of my DH accounts today which read as follows:

I use the PHP version of formmail which is available at http://www.dtheatre.com/scripts/formmail.php, and since this happended I’ve applied the version 4.2 patch Jack describes for preventing a ‘spoofing’ or ‘spamming’ problem the old script appeared to have.

The thing is, I don’t think this spoofing problem is the problem; I don’t have the formmail.php setup to send along the REMOTE HOST or BROWSER variables, nor do I have it setup to allow file submissions (OK, to my knowledge it’s not setup to do that – you can see the form(s) in question at http://www.gilkison.net/comments.html or http://genes.gilkison.net/comments.html). I’ve also searched everywhere in my file space for a “washere.txt” file, and I don’t find any.

Is this just a script kiddie trying to impress me, or could I potentially have a hole still open in the formmail.php script? (BTW, the “To:” address was actually to a valid email address at my domain, I’d just prefer not to post it if not necessary)


#2

Well, there was in fact a few entries in my access.log about that time for the relevant page; there was a POST request for formmail.php, just as if somebody had submitted something normally, then a GET for the same thing – both of those used a relative URL – then finally a POST using a complete “http://…” url to my formmail.php. The final POST had a log time of the same time that DH initially rec’d the message, so I’d be pretty sure that’s the culprit …

Any idea what “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)” is? Especially that last “.NET” part? A Google search on that doesn’t really turn up anything useful. When I did a whois on the IP address, it belongs to a free French isp, “Tiscali France”, which doesn’t appear to be too helpful either.

I can post the relevant log section if you think it might help, unless you think I’m being overly concerned…


#3

The biggest problem with using the canned DH formmail is that it requires you to expose certain elements in your web page, namely the recipient email – and a hidden INPUT is not going to deter somebody serious about an attack, nor a robot gathering email addresses form spam (what I’m hoping to prevent in the first place. Using a “custom” formmail let’s me control the email process a bit more to my satisfaction.

Perhaps part of the solution is, as you suggest, to remove the reference to Jack’s Formmail – it’s mainly the author’s request that you link back to him in some way as a courtesy.

The logged useragent is, I’m sure, hacked, which I know is easy enough to do with Lynx or Opera; the IE useragent text has always, to my knowledge, stopped after the operating system description (e.g., my IE has never displayed anything about .NET CLR)

Perhaps there’s a way to restrict access to formmail.php so that only the local comments.html can call it? Maybe via .htaccess ?


#4

The .NET CLR in the user agent is nothing suspicious - I don’t know exactly what it means, but I find it in my log files all the time from normal requests.