I posted a message about problems I'm having with visitors to my formmail.cgi in the Tracking and Logging forum. I'm not clear on a few things and wondered if someone from this forum could read my message there and answer my questions. I have a list of IPs that have visited only my *.cgi files and I'm ready to go through and deny them access if this is the best approach. Can anyone help?
Thanks!
one approach is to rename the file instead of formmail.cgi or whatever call it something else ...
Many of the hacker attempts just seem to poll
domain/cgi-bin/
for all sorts of formmail files with different endings.
I would go further than deny .. gather the dodgy IPs together from your access and error logs, (make sure they are the dodgy ones :-) sort them into IP order whois / tracerout and collect their service providers details then send an email with all details to their ISP abuse address and demand those user accounts be terminated.
the advantage of renaming your script something other than formmail is that you know anyone polling your cgi-bin for that is up to no good as none of your forms will be requesting it.
Nearly all ISP have clauses in their TOS which do not permit people to try this .. that file on your site is only intended to be interacted with by your form, anyone trying to get direct access to that script is up to no good for the sake of spamming through your script.
BTW2 there are patched versions of that script requiring permitted email and domains to be input server side .. and I think requiring the request to come from your page .. make sure if you have not already that you have one of those later patched versions.
To ban the requests, i use lines similar to these in my htaccess:
RewriteCond %{REQUEST_URI} (.?mail.?form¦form¦(GM)?form.?.?mail¦.?mail)(2¦to)?\.?(asp¦cgi¦exe¦php¦pl¦pm)?$ [NC]
RewriteRule .* - [F,L]The lines tell the User-Agent that what they just tried to do is forbidden - the top line has been split in two. If you want to use it, you have to replace the broken pipe "¦" with one you enter from your keyboard. It should be a solid line, but this forum replaces them in posts.
Otherwise, here's a link for a nice script that you can upload and save as "formmail.cgi" or "formmail.pl" - it catches the mail-exploit hunters and bans them. You'll have to rename your real formmail script to something else first, but that should always be done anyhow:
[webmasterworld.com...]
/claus
Thanks again! Off to ban those IPs!
The difference is that if it is there then attempts to exploit it may also be made, if it is not there these cannot take effect.
Renaming the script is only a partial defense against people that are using simple automation to poll for it, they usually poll for variants of formmail.* , perhaps formmail.cgi formmail.pl etc
Even if you rename it if you are using it to process form outputs then your forms will have to call the renamed script so spammers who wish to take the time could look at the code of your form and find the renamed script.
This is why if your host has not done some work to patch the script, or if you are not using the latest version which has been improved, you are taking a security risk.
I think its instructive that those that can arrange their own or custom scripts generally prefer to use them. There are so many examples of formmail out there that exploits are quickly picked up.
Before I had a fixed one and went after abusers accounts I did have thousands of exploits in a short period of time to an earlier version. Check your logs its usually quite clear if someone is abusing this script and your hosting provider should be as concerned about it as you should be.
Wiz
[edited by: jatar_k at 4:43 am (utc) on Sep. 9, 2003]
[edit reason] no personal urls thanks [/edit]
