hacking attempt on Apache?

To: debian-user@lists.debian.org
Subject: hacking attempt on Apache?
From: Pim Bliek <pim.bliek@gmail.com>
Date: Tue, 6 Jul 2004 20:30:56 +0200
Message-id: <[🔎] fc1af19c04070611302238245d@mail.gmail.com>

Hi,

I got this in my logs:

12.135.225.155 - - [30/Jun/2004:13:41:07 +0200] "POST
/cgi-bin/formmail.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
205.155.196.131 - - [30/Jun/2004:13:41:17 +0200] "POST
/cgi-bin/contact.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
209.181.61.81 - - [30/Jun/2004:13:41:21 +0200] "POST
/cgi-bin/mailform.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
209.188.66.29 - - [30/Jun/2004:13:41:24 +0200] "POST
/cgi-bin/formmail.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1
foo.bar
216.11.71.2 - - [30/Jun/2004:13:41:25 +0200] "POST
/cgi-bin/FormMail.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
193.224.42.8 - - [30/Jun/2004:13:41:27 +0200] "POST /mail.cgi
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
213.142.20.29 - - [30/Jun/2004:13:41:32 +0200] "POST /cgi-bin/fmail.pl
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
205.160.241.50 - - [30/Jun/2004:13:41:35 +0200] "POST
/cgi-bin/form.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
67.69.34.194 - - [30/Jun/2004:13:41:37 +0200] "POST
/cgi-bin/contact.pl HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1
foo.bar
212.55.154.69 - - [30/Jun/2004:13:41:43 +0200] "POST /cgi/formmail
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
206.107.198.2 - - [30/Jun/2004:13:41:47 +0200] "POST /cgi-bin/mail.cgi
HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
67.98.236.153 - - [30/Jun/2004:13:41:49 +0200] "POST /formmail.pl
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
195.77.24.14 - - [30/Jun/2004:13:41:51 +0200] "POST
/cgi-bin/feedback.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
209.235.241.82 - - [30/Jun/2004:13:41:53 +0200] "POST /contact.cgi
HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
209.2.108.2 - - [30/Jun/2004:13:41:58 +0200] "POST /form-bin/deliver
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
80.16.106.83 - - [30/Jun/2004:13:41:59 +0200] "POST
/cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 14523
"http://www.foo.bar/"; "-" 0 foo.bar
207.44.198.13 - - [30/Jun/2004:13:42:04 +0200] "POST /cgi-bin/form.pl
HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
193.146.142.66 - - [30/Jun/2004:13:42:05 +0200] "POST
/cgi-bin/mailform.cgi HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
65.77.28.122 - - [30/Jun/2004:13:42:07 +0200] "POST
/cgi-bin/feedback.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
foo.bar
64.56.118.178 - - [30/Jun/2004:13:42:09 +0200] "POST /cgi-bin/mail.pl
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
207.68.98.5 - - [30/Jun/2004:13:42:11 +0200] "POST /cgi-bin/sender.pl
HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
12.104.198.106 - - [30/Jun/2004:13:42:12 +0200] "POST
/cgi-bin/mailer/mailer.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/";
"-" 0 foo.bar



Apparently all from different IP's but certainly coordinated, because
it is on the same time, same kind of requests.

Anyone knows how this can be done? Is there any possibility to trace
who might have done this?

Best regards,
Pim Bliek

Reply to:

Follow-Ups:
- Re: hacking attempt on Apache?
  - From: Robbert Hamburg <cobalt@robberthamburg.nl>
- Re: hacking attempt on Apache?
  - From: Raquel Rice <raquel@thericehouse.net>
- Re: hacking attempt on Apache?
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: Unable to handle kernel paging request...
Next by Date: Re: Debian Woody login problem
Previous by thread: Re: postscript-enabled mozilla package anyone?
Next by thread: Re: hacking attempt on Apache?
Index(es):
- Date
- Thread