Tracking hits (over 7,000 for 2 days, help)

Forum Moderators: DixonJones

Message Too Old, No Replies

Tracking hits (over 7,000 for 2 days, help)

CGI, formmail, hits

tactical1

3:17 pm on Apr 3, 2003 (gmt 0)

Help, I think someone is trying to hack my sites.

I have 2 sites and both have formmail (matts scripts) running on them.

2 days ago I checked my stats and everything seemed fine, now I check today and both sites contact pages got hit over 7,000 time a piece (over 14k in two days on a contact form?)

I checked logs/files/passwords/etc... and everything seems fine.

I have index.html/shtml files in my cgi-bin directory to prevent snooping and all my permissions are set correctly, funny thing is that I accidentally left a survey file set with full read/write/execute permission and it remains untouched/unchanged.

Can anyone please tell me whats going on or at least point me in the right direction?

Thanks in advance for any and all help in this matter.

Rich

dazz

3:23 pm on Apr 3, 2003 (gmt 0)

Cant you just block the IP address of who is hitting your site?

tactical1

3:41 pm on Apr 3, 2003 (gmt 0)

Dazz,

Multiple I.P. address's probably 7-8 of them have over 300 pages accessed (my logging software doesnt specify which pages, just hits) but this is common for my sites as they are loaded with images, multimedia, audio projects, etc....

Rich

Birdman

3:42 pm on Apr 3, 2003 (gmt 0)

I would definately change the name of formmail.pl to something unusual.

tactical1

3:47 pm on Apr 3, 2003 (gmt 0)

Birdman,

Doing that as we speak, still concerned though.

Rich

Gibble

4:02 pm on Apr 3, 2003 (gmt 0)

Most of us here probably see 404s for attempts at accessing formmail.pl just because script kiddies/virii are looking for vulnerable computers.

Rename it and you should be ok.

rodule

2:49 am on Apr 4, 2003 (gmt 0)

You may be the unwilling subject of a spam email campaign. Early versions of Matt's formmail script enable spammers to exploit a loop hole in the script to use your server to send their email. Sticky mail me for details of the exploit.

The best fix is to upgrade to the latest version of Matt's formmail or better to write your own form handler to use config files stored on the server rather than using hidden variables in your forms to set the variables such as your email address.

tactical1

12:28 pm on Apr 4, 2003 (gmt 0)

Rodule,

I've got the latest version of formmail, and as far as the re-write goes, that's beyond me.

Does anybody by chance have a recommendation for an IP logger or some such utility that will help me track this kinda' thing?

All help is greatly appreciated.

Thanks,

Rich