Forum Moderators: DixonJones
Considering I no longer have server side CGI-Bins, whaddaya make of this? Someone trying to spoof me?
62.218.2.99 - - [01/Dec/2002:01:58:43 -0800] "GET /cgi-bin/formmail.cgi?email=rockstar@mail.com&subject=www.mydomain.com/cgi-bin/formmail.cgi&message=rockstar&recipient=ambersucks@empty-backpack.net HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
62.218.2.99 - - [01/Dec/2002:01:58:43 -0800] "GET /cgi-bin/FormMail.cgi?email=rockstar@mail.com&subject=www.mydomain.com/cgi-bin/FormMail.cgi&message=rockstar&recipient=ambersucks@empty-backpack.net HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
62.218.2.99 - - [01/Dec/2002:01:58:43 -0800] "GET /cgi-bin/FormMail.pl?email=rockstar@mail.com&subject=www.mydomain.com/cgi-bin/FormMail.pl&message=rockstar&recipient=ambersucks@empty-backpack.net HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
62.218.2.99 - - [01/Dec/2002:01:58:43 -0800] "GET /cgi-bin/formmail.pl?email=rockstar@mail.com&subject=www.mydomain.com/cgi-bin/formmail.pl&message=rockstar&recipient=ambersucks@empty-backpack.net HTTP/1.1" 200 918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Here are the particulars I found.
12/01/02 11:36:37 IP block 62.218.2.99
Trying 62.218.2.99 at ARIN
Trying 62.218.2 at ARINOrgName: RIPE Network Coordination Centre
OrgID: RIPENetRange: 62.0.0.0 - 62.255.255.255
CIDR: 62.0.0.0/8
NetName: RIPE-C3
NetHandle: NET-62-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: AUTH03.NS.UU.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: MUNNARI.OZ.AU
NameServer: NS.APNIC.NET
Comment: These addresses have been further assigned to users in
the RIPE NCC region. Contact information can be found in
the RIPE database at whois.ripe.net
RegDate: 1997-04-25
Updated: 2002-09-11OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: Reseaux IP European Network Co-ordination Centre S
OrgTechPhone: +31 20 535 4444
OrgTechEmail: nicdb@ripe.net
Thanks all.
Pendanticist
And here's what RIPE [ripe.net] has to say about it - check out that prominent "report abuse" contact.
Formmail exploits are definitely abuse - go ahead and report it.
Jim
<snip>
email=rockstar@mail.com&subject=www.mydomain.com/cgi-bin/formmail.cgi&message=rockstar&recipient=ambersucks@empty-backpack.net
</snip>
Thanks Jim, I reported it earlier. My question was really regarding the above portion of the string.
If there are no cgi-bins at all, what is this portion trying to convey?
Success? Fear (on my part) of success?
Or, is the string merely a part of the query itself?
Sorry if I wasn't clear on this :-(
This is only the second one I've gotten which looks like this one.
Oh, and I just this minute did a google search and this is all that was found. Interesting: [empty-backpack.net...]
Pendanticist.
He's trying to pass that string to formmail, which would send it from your server's e-mail account.
Since you don't have formmail, nothing happens. But if you did, then he'd know, and your server would be identified. After that, you would become a major spam portal until your host shut you down. :o
Jim
As an aside, the abuse message I sent to empty-backpack.net just bounced.
Well, enough for now. Gotta get back to my homework...
Thanks again.
Pendanticist.
The script kiddies just spider thru the internet to find some old formmail to abuse. I use to have several dull kiddies in my log coming back every week for more than a year now.
And btw, if they want a formmail, why not let them have one ... This way I keep them busy for 42 seconds before they go bothering the next site ...
Regards,
R.
#!/usr/bin/perl -wT
# a formmail wait fake
use strict;
use CGI qw(:standard escapeHTML);
sleep(42);
print header(),
start_html("formmail.pl"),
p("You wanted a formmail? Well, here it is ..."),
end_html();
# done
According to the RIPE report on the requesting IP address (the link I posted above), your abuse report should go to abuse@uta.at (Austria)
Jim
