Thread: mailform hacking
View Single Post

  #2 (permalink)  
Old 11-16-2005
Tauno Voipio
 
Posts: n/a
Default Re: mailform hacking
Andy Jacobs wrote:
> Hi all
>
> I'm not sure if this is the place to post but I don't know where to
> start! One of my customers who hosts on my RAQ has been getting strange
> e-mails. It looks to me like someone trying to send a form2mail script
> parameters (Bcc) to send spam. I've just changed the script to
> something different and it's still happening. The new script logs the
> IP address of the sender so I looked through the access log for that IP
> and got the following (I added line breaks to separate the wrapped
> entries):
>
> www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET
> /manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-"
>
> www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST
> /cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-"
>
> www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST
> /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
>
> www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET
> /?cat_id=3 HTTP/1.0" 200 4191 "-" "-"
>
> www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST
> /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
>
> www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST
> /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
>
> XXXXXXX is one domain on the server
> YYYYYYY is another domain on the server and the one where the customer
> has complained about the weird e-mails.
>
> Can anyone throw any light on this please? I'm guessing that the IP
> address is probably fake.


The IP address is very probably real. It is not possible to run
a TCP connection with a totally fake IP.

Another story is if the real user sits behind that IP or is
just using a cracked host as a cloaking proxy.

It seems to be a host in a Hungarian university:
(extra information stripped)

inetnum: 192.146.134.0 - 192.146.134.255

remarks: netname: ABC-HU1
descr: Agricultural Biotechnology Center
descr: Szent-Gyorgyi A.u.4, H-2101 Godollo, Hungary
remarks: country: HU
admin-c: PF1936-RIPE
tech-c: PF1936-RIPE

netname: ABC-HU1
descr: Agricultural Biotechnology Center
country: HU
admin-c: JR487
tech-c: JR487
status: ASSIGNED PI
remarks: hrcode=3a1720c43
mnt-by: AS3346-MNT

person: Jozsef Remenyi
address: Szent Istvan University
address: Pater Karoly u. 1.
address: H-2103 Godollo
address: Hungary
phone: +36 28 522000
phone: +36 20 3293369
fax-no: +36 28 410804
e-mail: remenyi@abc.hu
nic-hdl: JR487

person: Peter Fabian
address: Agricultural Biotechnology CenterSzent-Gyorgyi u 4. Hungary
address: GodolloH-2101
address: HU
phone: +36 28 430 600
fax-no: +36 28 420 096
e-mail: fabian@abc.hu
nic-hdl: PF1936-RIPE
mnt-by: RIPE-ERX-MNT

--

Tauno Voipio
tauno voipio (at) iki fi
Reply With Quote