homepage Welcome to WebmasterWorld Guest from 54.163.91.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

    
Strange POST entries in the log
What are they up to? Mail spamming?
thord




msg:3348299
 6:01 am on May 24, 2007 (gmt 0)

I have had several entries like this in my web log for some time:

125.188.29.#*$! - - [23/May/2007:14:20:34 +0200] "POST /mypage.html HTTP/1.1" 200 34148 "http:// www.mywebhost.com/cgi-bin/formmail.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The referrer is constant. Sometimes there is a user agent, sometimes there is just a dash. The IP is always different - zombies? There is no web form on that particular page.

I asked my web host, and they just said "don't worry", without explaining what was going on. Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Even if they would do no harm to me or to my web host I do not like seeing those entries. In case the botnet cannot change the referrer, could I just 403 block mywebhost.com in my .htaccess, or might that also prevent legitimate use of my own web forms? (I have no other control over the server.)

 

LifeinAsia




msg:3348786
 3:37 pm on May 24, 2007 (gmt 0)

Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Most likely bots. AFAIK, that's the default installation directory for formmail, so it's the first place bots lok for an exploit.

If you don't have formmail or have it installed in a different directory, it's not an issue.

blend27




msg:3350713
 5:44 pm on May 26, 2007 (gmt 0)

I see a large increase in botnet activity hitting guest book page on my site with
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) user agent.

thord




msg:3353862
 8:17 pm on May 30, 2007 (gmt 0)

Nobody?

The host has formail installed, and the directory is the above.

dhatz




msg:3353888
 8:42 pm on May 30, 2007 (gmt 0)

I see many POST http requests which list "reddit" in the referrer:

84.158.xx.yy - - [30/May/2007:23:35:03 +0300] "POST /xyz.html HTTP/1.0" 200 7719 "http://reddit.com/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

IPs are from all over the world (mostly US and Europe). What could this be?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved