This time they brought slightly different, uhm, cohorts and slowed the pace to twenty-four (24) seconds.

I guess they figured if they broadened the scope of time this globally organized assault would somehow look less....organized. <he said facetiously>

202.103.216.170 - - [22/Sep/2003:01:41:38 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 200 1135 "http//www.Blahblah.com/" "-"
202.103.216.170 - - [22/Sep/2003:01:41:54 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 942 "http//www.Blahblah.com/" "-"
194.243.112.69 - - [22/Sep/2003:01:41:59 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 936 "http//www.Blahblah.com/" "-"
66.30.27.104 - - [22/Sep/2003:01:42:01 -0700] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 945 "http//www.Blahblah.com/" "-"
217.215.130.17 - - [22/Sep/2003:01:42:02 -0700] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 948 "http//www.Blahblah.com/" "-"

Both 202.103.216.170 and 66.30.27.104 being the returnees.

Pendanticist.

i see that those are POST attempts... are you not seeing any GET attempts? i've logs of them and the GETs are the ones i find very interesting since they carry all the variables and data in the request ;)

Here is the most recent overnight attack.

>.. are you not seeing any GET attempts?

You'll notice there is only one GET during each attack. As to what, or why that is, I have no idea.

Must be some hierarchal reason for only one attacker requesting a GET? Something server-side perhaps?

...all in two (2) seconds.

65.247.155.207 - - [25/Sep/2003:02:28:24 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 200 1135 "http*//www.Blahblah.com/" "-"
65.247.155.207 - - [25/Sep/2003:02:28:24 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 939 "http*//www.Blahblah.com/" "-"
65.105.130.53 - - [25/Sep/2003:02:28:25 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 933 "http*//www.Blahblah.com/" "-"
65.172.164.2 - - [25/Sep/2003:02:28:25 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 939 "http*//www.Blahblah.com/" "-"
206.15.234.214 - - [25/Sep/2003:02:28:26 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 942 "http*//www.Blahblah.com/" "-"

You'll notice that was also the case this time, a single GET and that the, uh, returnee is absent during this attack.

Pendanticist.

Still but one GET and in eight (8) seconds this time.

207.218.85.90 - - [26/Sep/2003:21:24:01 -0700] "GET /cgi-bin/formmail.pl HTTP/1.0" 200 1135 "http*//Blahblah.com/" "-"
207.218.85.90 - - [26/Sep/2003:21:24:05 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 942 "http*//Blahblah.com/" "-"
66.90.9.18 - - [26/Sep/2003:21:24:06 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 936 "http*//Blahblah.com/" "-"
63.114.100.241 - - [26/Sep/2003:21:24:08 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 939 "http*//Blahblah.com/" "-"
66.90.9.18 - - [26/Sep/2003:21:24:09 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 936 "http*//Blahblah.com/" "-"

These are all new players too.

Pendanticist.

Ahhh, the saga continues...in six (6) seconds.

205.158.63.45 - - [27/Sep/2003:11:09:59 -0700] "GET /cgi-bin/formmail.pl HTTP/1.1" 200 1147 "http*//Blahblah.com/" "-"
205.158.63.45 - - [27/Sep/2003:11:10:00 -0700] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 945 "http*//Blahblah.com/" "-"
216.162.31.2 - - [27/Sep/2003:11:10:03 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 942 "http*//Blahblah.com/" "-"
198.143.64.80 - - [27/Sep/2003:11:10:04 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 939 "http*//Blahblah.com/" "-"
65.223.72.41 - - [27/Sep/2003:11:10:05 -0700] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 951 "http*//Blahblah.com/" "-"

Again with all new players and a single GET.

Enterprising individuals ain't they? <chuckle>

Pendanticist.

pendanticist ... am I reading those logs wrong or is it returning a status code of 200 for their request?

As for "why a mix of GET & POST" I think they are probably edging their bets, maybe each request represents an attempt to exploit a different brand/version of the script?

- Tony

Could it be they are testing to see whether you have the script first using GET. I guess you do since it's returning a 200. So, they then pass the outgoing email info to the script next via POST? My logs don't show POST variables, but I'm not sure if that's the standard or not.

Anyway, you really need to change that script's name or password protect the directory. That 200 is a magnet for them. No wonder they keep coming back to you so frequently.

i've never seen POSTs carry the data in with them... only GETS...

as for the 200s... i, too, feed them 200's... why? because its a script specially set up to gather their info, log it, and report it... what they are doing is wrong and the only time someone should be accessing a formmail script is when they are manually accessing a site and posting via that site...

i've even several years worth of data on them doing this... started logging it the very first time they ever hit my site and i've never had a formmail script or even a guestbook... it is obvious that they have never visited my site to even see if there is a formmail script available... they're just hitting all the sites they can find and hoping to come across one that has a formmail script that is insecure...

they're just hitting all the sites they can find and hoping to come across one that has a formmail script that is insecure...

A support rep at my hosting company told me that there are scripts available from hacking boards to do exactly that. It was during a discussion that resulted from a formmail script being hacked on my site. I "mysteriously" began receiving bounced emails that I never sent. Lots of 'em!

In response, I deleted formmail scripts on all of my sites and moved to a more secure solution.

Oh okay, if he's using it as a logger too then I withdraw my suggestion. The server logs all this info so I just feed them 401's myself.

To all: Thanks! :)

Great input, but no time for me to reply tonight.

ZZZzzzzz.....

Pendanticist.

Just to keep track of related posts: Possible evidence about "what & who" in this thread: Cloaking Device Made for Spammers [webmasterworld.com]

/claus