Forum Moderators: open
/cgi-bin/FormMail.pl
/cgi-bin/formmail.pl
/cgi-bin/FormMail.cgi
/cgi-bin/formmail.cgi
/formmail.php
- i haven't seen the third before, but somebody must have ported matts old code to php i guess. UA-strings differ as well as IP's, perhaps there are more than one, if not just one spoofing big time.
I do not believe these are browsers and there are some strange coincidences across UA's and IPs, watch for similarities in these three groups, and compare with odd whois findings:
1)
IPs: 67.118.215.31
UA: Mozilla/4.06 (Win95; I)
REFERRER: www.my-site.com (spoofed)
/cgi-bin/FormMail.pl
/cgi-bin/formmail.pl
/cgi-bin/FormMail.cgi
/cgi-bin/formmail.cgi
2)
IPs: 163.28.4.1, 159.148.95.15,
UA: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
REFERRER: www.my-site.com (spoofed)
/cgi-bin/FormMail.pl
3)
IPs: 200.41.4.3, 163.28.4.1
UA: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
REFERRER: www.my-site.com (spoofed)
/formmail.php
WHOIS INFO:
1) 67.118.215.31:
Pac Bell Internet Services PBI-NET-10 (NET-67-112-0-0-1)
67.112.0.0 - 67.127.255.255
PPPoX Pool rback9.scrm01 SBC067118212000020522 (NET-67-118-212-0-1)
67.118.212.0 - 67.118.215.255
2a) 163.28.4.1:
inetnum: 163.28.0.0 - 163.28.255.255
netname: TANET
descr: Taiwan Academic Network
descr: Ministry of Education computer Center
2b) 159.148.95.15:
inetnum: 159.148.0.0 - 159.148.255.255
netname: LATNET
descr: Internet Service Provider
descr: Riga, Latvia
3a) 200.41.4.3:
inetnum: 200.41.0/17
status: allocated
owner: ARIN - American Registry for Internet Numbers
ownerid: US-ARIN-LACNIC
responsible: ARIN ATTN: Registration Services Group
3b) 163.28.4.1:
inetnum: 163.28.0.0 - 163.28.255.255
netname: TANET
descr: Taiwan Academic Network
descr: Ministry of Education computer Center
Related:
Here's the spidertrap thread: [webmasterworld.com...]
- and the follow-up: [webmasterworld.com...]
Not related? Yes they are - replace the name "trap.pl" with "formmail.pl".
A rewrite condition in .htaccess like this one might be more efficient, as this could be just one very-very talented spoofer:
RewriteCond %{REQUEST_URI} (mail.?form¦form¦form.?mail¦mail¦mailto)\.(cgi¦exe¦pl¦asp¦php)$ [NC,OR]
Thanks to balam for this syntax (post 38 in ACTP.HBL part 2) [webmasterworld.com]
/claus
Having said that (and you'll need to click thru a bunch of those links to see what I think I saw), is it possible to rent proxy relays for true anonymous surfing?
In that one thread you can plainly see the individual has posted there.
As I understand - when ":80" is added to the end it signifies a re-direct? If so, where to?
I also found that ":80" leads to a hacker page.
I found more 'stuff', but I don't have the expertiese to understand all of it. Other languages notwithstanding.
One more thing: I noticed languages from Japan and Romania as well as one or two others. Not stats pages mind you, but pages speaking to...'something'.
All this supposedly coming from a school in Mississippi (US) seems just a tad erroneous to me. There is more here than meets the eye although http*//www.stayinvisible.com/index.pl/proxy_list?order=ip%20desc&offset=600 seems to indicate port 80 from that Mississippi school. Least ways that page shows this individual really is from the US.
NetName - MDE-K12
NetType - Direct Assignment
Address - P.O. Box 771, Suite 152
City - Jackson
Parent - NET-216-0-0-0-0
OrgName - Mississippi Dept. of Education
TechName - Westbrook, Rolan
TechEmail - rwestbro@mdek12.state.ms.us
TechHandle - RW279-ARIN
OrgID - MDE-3
PostalCode - 39205
NetHandle - NET-216-229-192-0-1
Comment -
RegDate - 1999-06-09
StateProv - MS
CIDR - 216.229.192.0/19
Updated - 1999-06-09
Country - US
NetRange - 216.229.192.0 - 216.229.223.255
TechPhone - +1-601-359-3487
Pendanticist.
is it possible to rent proxy relays for true anonymous surfing?
To the best of my knowledge, even using a proxy, one can not surf the internet and be truly anonynous because the proxy belongs to someone somewhere and that information can be found out. You can hide your UA and IP behind them, but it is likely to keep a record of your use.
All this supposedly coming from a school in Mississippi (US) seems just a tad erroneous to me. There is more here than meets the eye.
It's possible that there is a flaw in server security and the IP is wide open for use by anyone who knows how to exploit it. It's also possible that the Mississippi Dept. of Education is renting out a proxy for use by anyone who's willing to pay.
Lemme know.
Pendanticist.
lsanca2-ar36-4-63-166-246.lsanca2.dsl-verizon.net
12-232-45-235.client.attbi.com
vnnyca-2-g1-l2-63.vnnyca.adelphia.net
212.20.146.23
"...and another one bites, and another one bites, and another one bites the dust."
Pendanticist.
*lol* try now ;)
There are databases of email relays [google.com] around, also open proxy databases [google.com]. Banning all you can find is easier than tracking down individual abusers, those kids are all around the place anyway. The alternative is simple rules, like serve an 403 for formmail requests, or "positive lists" - only allow anything if a,b,c.
/claus
