[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] OT Hosting company scanning my Cobalt

Subject: RE: [cobalt-users] OT Hosting company scanning my Cobalt
From: "No I Won't" <iwont@xxxxxxxx>
Date: Fri Aug 16 09:46:49 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Actually, I suggest grepping for "formmail" as the "w00t" may not
necessarily be in the logs, I've noticed that my servers have been hit
constantly today looking for formmail so it can be used to send SPAM from my
box.



-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Dan Kriwitsky
Sent: Friday, August 16, 2002 12:20
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] OT Hosting company scanning my Cobalt



BTW, speaking of illegal access: if anyone is grepping their access
files, look for "w00t". It's a formmail hack attempt and reveals the
email address the spammer is using to receive the output of a broken
formmail. e.g.,
www.airports.worldsbestdeals.com 24-168-45-54.nyc.rr.com - -
[16/Aug/2002:08:54:09 -0500] "GET
/cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=airports%2Eworldsbestd
eals%2Ecom%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=tcatenaccio%40mail%2Eco
m&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 200
1628 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"

Note: f2@xxxxxxx is just the decoy. tcatenaccio@xxxxxxxx is the actual
intented recipient of the info.
--

References:
- RE: [cobalt-users] OT Hosting company scanning my Cobalt
  - From: Dan Kriwitsky

Prev by Date: Re: [cobalt-users] disk usage
Next by Date: Re: [cobalt-users] Tricky alias redirection
Previous by thread: RE: [cobalt-users] OT Hosting company scanning my Cobalt
Next by thread: RE: [cobalt-users] OT Hosting company scanning my Cobalt

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index