[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] OT Hosting company scanning my Cobalt
- Subject: RE: [cobalt-users] OT Hosting company scanning my Cobalt
- From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
- Date: Fri Aug 16 13:07:45 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: Jonathan Michaelson
Sent: Friday, August 16, 2002 12:35 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] OT Hosting company scanning my Cobalt
Hi Dan,
> BTW, speaking of illegal access: if anyone is grepping their access
> files, look for "w00t". It's a formmail hack attempt and reveals the
> email address the spammer is using to receive the output of a broken
> formmail. e.g.,
> www.airports.worldsbestdeals.com 24-168-45-54.nyc.rr.com - -
> [16/Aug/2002:08:54:09 -0500] "GET
> /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=airports%2Eworldsbestd
> eals%2Ecom%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=tcatenaccio%40mail%2Eco
> m&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 200
> 1628 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"
>
> Note: f2@xxxxxxx is just the decoy. tcatenaccio@xxxxxxxx is the actual
> intented recipient of the info.
We're getting a variant of that about 2 or 3 times a day on one of our
servers. It's interesting the things people are scanning for and how they
reveal themselves in their own actions.
I wonder how many administrators actually check their Apache error logs?
It's a trivial mod to logcheck for those that aren't and want something that
will notify them nicely.
------------------------
Of course if an open formmail script has been found, there won't be any
entries in the Apache error log, only the Aoache access log and of course
the /var/log/maillog for all the mails that are being sent that way.