Discussion:
mail probe 'storms'
(too old to reply)
Pete
2004-08-29 20:14:11 UTC
Permalink
I'm curious if anyone knows details of a phenomenon that shows up
in our 404 log at irregular intervals.

There will be a sudden 'storm' of POST requests from different hosts,
each requesting a different mail service, like 'cgi-bin/formail.pl'
or 'mail.cgi' and so on. There will be anything from a few to 30 or 40
requests within about one minute. Our server doesn't in fact *have*
any of these facilities, so no damage is done, but it is obviously
of nefarious intent...

As I say, each request is from a different host -- apparently scattered
randomly around the world -- and each request is (mostly) for a different
app. My assumption is that these are all poor zombies, with coordinated
strings being pulled by some puppetwebmaster somewhere unseen.

Anybody know more? Any action that is useful to take?

-- Pete --
--
============================================================================
The address in the header is a Spam Bucket -- don't bother replying to it...
(If you do need to email, replace the account name with my true name.)
============================================================================
NTL World News
2004-09-01 19:29:57 UTC
Permalink
Well I know poorley configured formail mail cgi's allow you to define the
sender in the post request. The one from "matts" script archive used to let
u do that. They will just be looking for an open mail gateway to mask their
real IP.

Charlie
Post by Pete
I'm curious if anyone knows details of a phenomenon that shows up
in our 404 log at irregular intervals.
There will be a sudden 'storm' of POST requests from different hosts,
each requesting a different mail service, like 'cgi-bin/formail.pl'
or 'mail.cgi' and so on. There will be anything from a few to 30 or 40
requests within about one minute. Our server doesn't in fact *have*
any of these facilities, so no damage is done, but it is obviously
of nefarious intent...
As I say, each request is from a different host -- apparently scattered
randomly around the world -- and each request is (mostly) for a different
app. My assumption is that these are all poor zombies, with coordinated
strings being pulled by some puppetwebmaster somewhere unseen.
Anybody know more? Any action that is useful to take?
-- Pete --
--
============================================================================
Post by Pete
The address in the header is a Spam Bucket -- don't bother replying to it...
(If you do need to email, replace the account name with my true name.)
============================================================================
Loading...