[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacking attempt on Apache?

On Tuesday 06 July 2004 20:30, Pim Bliek wrote:
> Hi,
>
> I got this in my logs:
>
> 12.135.225.155 - - [30/Jun/2004:13:41:07 +0200] "POST
> /cgi-bin/formmail.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 205.155.196.131 - - [30/Jun/2004:13:41:17 +0200] "POST
> /cgi-bin/contact.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 209.181.61.81 - - [30/Jun/2004:13:41:21 +0200] "POST
> /cgi-bin/mailform.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 209.188.66.29 - - [30/Jun/2004:13:41:24 +0200] "POST
> /cgi-bin/formmail.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1
> foo.bar
> 216.11.71.2 - - [30/Jun/2004:13:41:25 +0200] "POST
> /cgi-bin/FormMail.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 193.224.42.8 - - [30/Jun/2004:13:41:27 +0200] "POST /mail.cgi
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
> 213.142.20.29 - - [30/Jun/2004:13:41:32 +0200] "POST /cgi-bin/fmail.pl
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
> 205.160.241.50 - - [30/Jun/2004:13:41:35 +0200] "POST
> /cgi-bin/form.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 67.69.34.194 - - [30/Jun/2004:13:41:37 +0200] "POST
> /cgi-bin/contact.pl HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1
> foo.bar
> 212.55.154.69 - - [30/Jun/2004:13:41:43 +0200] "POST /cgi/formmail
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
> 206.107.198.2 - - [30/Jun/2004:13:41:47 +0200] "POST /cgi-bin/mail.cgi
> HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
> 67.98.236.153 - - [30/Jun/2004:13:41:49 +0200] "POST /formmail.pl
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
> 195.77.24.14 - - [30/Jun/2004:13:41:51 +0200] "POST
> /cgi-bin/feedback.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 209.235.241.82 - - [30/Jun/2004:13:41:53 +0200] "POST /contact.cgi
> HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
> 209.2.108.2 - - [30/Jun/2004:13:41:58 +0200] "POST /form-bin/deliver
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
> 80.16.106.83 - - [30/Jun/2004:13:41:59 +0200] "POST
> /cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 14523
> "http://www.foo.bar/"; "-" 0 foo.bar
> 207.44.198.13 - - [30/Jun/2004:13:42:04 +0200] "POST /cgi-bin/form.pl
> HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
> 193.146.142.66 - - [30/Jun/2004:13:42:05 +0200] "POST
> /cgi-bin/mailform.cgi HTTP/1.1" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 65.77.28.122 - - [30/Jun/2004:13:42:07 +0200] "POST
> /cgi-bin/feedback.pl HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0
> foo.bar
> 64.56.118.178 - - [30/Jun/2004:13:42:09 +0200] "POST /cgi-bin/mail.pl
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 0 foo.bar
> 207.68.98.5 - - [30/Jun/2004:13:42:11 +0200] "POST /cgi-bin/sender.pl
> HTTP/1.0" 404 14523 "http://www.foo.bar/"; "-" 1 foo.bar
> 12.104.198.106 - - [30/Jun/2004:13:42:12 +0200] "POST
> /cgi-bin/mailer/mailer.cgi HTTP/1.0" 404 14523 "http://www.foo.bar/";
> "-" 0 foo.bar
>
>
>
> Apparently all from different IP's but certainly coordinated, because
> it is on the same time, same kind of requests.
>
> Anyone knows how this can be done? Is there any possibility to trace
> who might have done this?
>
> Best regards,
> Pim Bliek


Dont tell me you are running an old version of that formmail script ! 

Robbert
Reply to: