Thread: mailform hacking
View Single Post

  #3 (permalink)  
Old 11-16-2005
Andy Jacobs
 
Posts: n/a
Default Re: mailform hacking
In article <HDKef.345$dW1.15@read3.inet.fi>,
Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote:

> Andy Jacobs wrote:
> > Hi all
> >
> > I'm not sure if this is the place to post but I don't know where to
> > start! One of my customers who hosts on my RAQ has been getting strange
> > e-mails. It looks to me like someone trying to send a form2mail script
> > parameters (Bcc) to send spam. I've just changed the script to
> > something different and it's still happening. The new script logs the
> > IP address of the sender so I looked through the access log for that IP
> > and got the following (I added line breaks to separate the wrapped
> > entries):
> >
> > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET
> > /manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-"
> >
> > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST
> > /cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-"
> >
> > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST
> > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
> >
> > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET
> > /?cat_id=3 HTTP/1.0" 200 4191 "-" "-"
> >
> > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST
> > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
> >
> > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST
> > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"
> >
> > XXXXXXX is one domain on the server
> > YYYYYYY is another domain on the server and the one where the customer
> > has complained about the weird e-mails.
> >
> > Can anyone throw any light on this please? I'm guessing that the IP
> > address is probably fake.
>
>
> The IP address is very probably real. It is not possible to run
> a TCP connection with a totally fake IP.
>
> Another story is if the real user sits behind that IP or is
> just using a cracked host as a cloaking proxy.
>
> It seems to be a host in a Hungarian university:

I found this too. I've sent an e-mail to the person listed but I'm
doubtful of it achieving anything.

the other one that intrigues me is from the same address and that's the
first one as it appears to be accessing a file that's outside of
anything web accessible.

I'm still interested in knowing if these are people trying to use the
form from outside - i.e. through the browser, or whether the server has
been compromised. The form2mail.php file was installed yesterday, went
live with a new site on the domain this afternoon and was being used
within a couple of hours. How could anyone find this file?

Andy

--
Andy Jacobs
www.redcatmedia.net
Intelligent Websites For Intelligent Business People
Reply With Quote