Gossamer Forum: General: Internet Technologies: Search engines looks for formmail.cgi (hack?)

Jan 5, 2003, 4:22 AM

webmaster33

Veteran (2312 posts)

Jan 5, 2003, 4:22 AM

Post #1 of 7

Shortcut

Search engines looks for formmail.cgi (hack?)

I noticed that some search engines (or just a few people?) are looking for formmail.cgi or formmail.pl in cgi-bin driectory. This happens so often, from different addresses, looking for mixed capital and not capital letters of FormMail.cgi or pl.
It seems they want to find a formmail cgi, and get access to a form mailer, so they can send spam emails from website.
Fortunately I have not to afraid about others spamming from my site, but this is interesting hacking or spamming action...
We should be aware of these actions.

Did anybody else find similar occurences in his webserver error log?

Best regards,
Webmaster33

Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...

Jan 6, 2003, 11:29 AM

Alex

Administrator (9387 posts)

Jan 6, 2003, 11:29 AM

Post #2 of 7

Shortcut

Re: [webmaster33] Search engines looks for formmail.cgi (hack?) In reply to

Yes, it's quite common actually. Our servers regularly get scanned looking for an exploitable formmail to send out spam to.

Cheers,

Alex
--
Gossamer Threads Inc.

Jan 6, 2003, 11:35 AM

webmaster33

Veteran (2312 posts)

Jan 6, 2003, 11:35 AM

Post #3 of 7

Shortcut

Re: [Alex] Search engines looks for formmail.cgi (hack?) In reply to

Maybe we could install a fake formmail.cgi which actually does not send out anything, but saves the info about the sender, and the email want would be sent out...
We could catch them this way...

Opinion?

Best regards,
Webmaster33

Jan 6, 2003, 11:37 AM

Alex

Administrator (9387 posts)

Jan 6, 2003, 11:37 AM

Post #4 of 7

Shortcut

Re: [webmaster33] Search engines looks for formmail.cgi (hack?) In reply to

Why? It just means you'll have to handle getting spammed with thousands of hits. As soon as the robots find a vulnerable formmail.cgi, your server will get hammered with cgi requests sending out thousands and thousands of mail.

You could easily log the IP's of the people scanning for these by searching your log files.

Cheers,

Alex
--
Gossamer Threads Inc.

Jan 6, 2003, 11:42 AM

Watts

Veteran (1141 posts)

Jan 6, 2003, 11:42 AM

Post #5 of 7

Shortcut

Re: [webmaster33] Search engines looks for formmail.cgi (hack?) In reply to

They are also looking for autoresponders... mreply.rc is somehow being misused by spammers, not exactly sure how though.

Jan 6, 2003, 11:51 AM

webmaster33

Veteran (2312 posts)

Jan 6, 2003, 11:51 AM

Post #6 of 7

Shortcut

Re: [Watts] Search engines looks for formmail.cgi (hack?) In reply to

The script formmail.cgi should be modified, so only the first X emails should be allowed to be sent out correctly. And also logged into file. So we can track them.

Best regards,
Webmaster33

Jan 6, 2003, 11:51 AM

Paul

Veteran (19537 posts)

Jan 6, 2003, 11:51 AM

Post #7 of 7

Shortcut

Re: [webmaster33] Search engines looks for formmail.cgi (hack?) In reply to

I just tried this quickly and it seemed to work. It should list the ip's from your access log from anyone requesting formmail.cgi

Code:
[pwilson@cypress httpd]$ cat /var/log/httpd/access_log | grep -i formmail | awk '{print $1}' | sort | uniq

You can use "sed" if you want to use a better matching alogorythm (can't spell doh).

Last edited by:

Paul: Jan 6, 2003, 12:01 PM