Welcome to WebmasterWorld Guest from 50.16.68.229

Forum Moderators: DixonJones & mademetop

Strange POST entries in the log

What are they up to? Mail spamming?

   
6:01 am on May 24, 2007 (gmt 0)

5+ Year Member



I have had several entries like this in my web log for some time:

125.188.29.#*$! - - [23/May/2007:14:20:34 +0200] "POST /mypage.html HTTP/1.1" 200 34148 "http:// www.mywebhost.com/cgi-bin/formmail.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The referrer is constant. Sometimes there is a user agent, sometimes there is just a dash. The IP is always different - zombies? There is no web form on that particular page.

I asked my web host, and they just said "don't worry", without explaining what was going on. Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Even if they would do no harm to me or to my web host I do not like seeing those entries. In case the botnet cannot change the referrer, could I just 403 block mywebhost.com in my .htaccess, or might that also prevent legitimate use of my own web forms? (I have no other control over the server.)

3:37 pm on May 24, 2007 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Is there a botnet abusing or trying to abuse my web host's server for spam mailings? Is my site at risk?

Most likely bots. AFAIK, that's the default installation directory for formmail, so it's the first place bots lok for an exploit.

If you don't have formmail or have it installed in a different directory, it's not an issue.

5:44 pm on May 26, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I see a large increase in botnet activity hitting guest book page on my site with
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) user agent.
8:17 pm on May 30, 2007 (gmt 0)

5+ Year Member



Nobody?

The host has formail installed, and the directory is the above.

8:42 pm on May 30, 2007 (gmt 0)

10+ Year Member



I see many POST http requests which list "reddit" in the referrer:

84.158.xx.yy - - [30/May/2007:23:35:03 +0300] "POST /xyz.html HTTP/1.0" 200 7719 "http://reddit.com/login" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

IPs are from all over the world (mostly US and Europe). What could this be?

 

Featured Threads

Hot Threads This Week

Hot Threads This Month