Welcome to WebmasterWorld Guest from 54.162.53.212

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Strange POST entries in the log

What are they up to? Mail spamming?

     
6:01 am on May 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 7, 2007
posts:24
votes: 0


I have had several entries like this in my web log for some time:

125.188.29.#*$! - - [23/May/2007:14:20:34 +0200] "POST /mypage.html HTTP/1.1" 200 34148 "http:// www.mywebhost.com/cgi-bin/formmail.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The referrer is constant. Sometimes there is a user agent, sometimes there is just a dash. The IP is always different - zombies? There is no web form on that particular page.

I asked my web host, and they just said "don't worry", without explaining what was going on. Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Even if they would do no harm to me or to my web host I do not like seeing those entries. In case the botnet cannot change the referrer, could I just 403 block mywebhost.com in my .htaccess, or might that also prevent legitimate use of my own web forms? (I have no other control over the server.)

3:37 pm on May 24, 2007 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5599
votes: 29


Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Most likely bots. AFAIK, that's the default installation directory for formmail, so it's the first place bots lok for an exploit.

If you don't have formmail or have it installed in a different directory, it's not an issue.

5:44 pm on May 26, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1760
votes: 43


I see a large increase in botnet activity hitting guest book page on my site with
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) user agent.
8:17 pm on May 30, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 7, 2007
posts:24
votes: 0


Nobody?

The host has formail installed, and the directory is the above.

8:42 pm on May 30, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 5, 2004
posts:147
votes: 0


I see many POST http requests which list "reddit" in the referrer:

84.158.xx.yy - - [30/May/2007:23:35:03 +0300] "POST /xyz.html HTTP/1.0" 200 7719 "http://reddit.com/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

IPs are from all over the world (mostly US and Europe). What could this be?