netbsd-help: Re: Strange logs in web-server...

Subject: Re: Strange logs in web-server...
To: Richard Rauch <rkr@olib.org>
From: =?ISO-8859-1?Q?Timo_Sch=F6ler?= <timo.schoeler@macfinity.net>
List: netbsd-help
Date: 09/24/2004 09:04:51
> This seems like the most informative group to ask about this.  The 
> question is
> kind of a mixture of security and curiosity.
>
> I have seen people trying to run "formmail" (or similar) CGI scripts 
> on my
> web-server.  I normally just toss them into a blackhole list (IPF 
> filter
> list).  However, of late, I've noticed a new variation: I seem to get 
> runs
> in quick succession of IP attempts by widely varying IP numbers.  Here 
> are
> 3 lines from today:
>
> 200.66.98.39 - - [23/Sep/2004:17:21:32 -0500] "POST 
> /scripts/formmail.pl HTTP/1.0" 404 371 "http://www.olib.org/" "-" 
> 200.66.98.39
> ua-213-115-201-207.cust.bredbandsbolaget.se - - [23/Sep/2004:17:21:31 
> -0500] "POST /cgi-bin/enquiry.pl HTTP/1.1" 404 370 
> "http://www.olib.org/" "-" 213.115.201.207
> dpvc-68-161-240-236.ny325.east.verizon.net - - [23/Sep/2004:17:21:33 
> -0500] "POST /cgi-bin/formmail/formmail.cgi HTTP/1.0" 404 381 
> "http://www.olib.org/" "-" 68.161.240.236
>
>
> The format is basically Apache's "combined" format, with the IP number
> submitted to reverse-DNS (my server is low-traffic and I'm serving
> from a DSL setup).  I have found some people have operated systems
> whose reverse-DNS is invalid, so I've modified the "combined" log to
> include a trailing raw IP number.
>
>
> Now I see 3, apparently related, attempts to run differently-named
> CGI scripts on my server.  I never seem to get just a single attempt
> in isolation, so I assume that these three lines (logged
> over a 3-second span) are related.  The fact that they go after
> differently-named scripts further suggests coordination.
>
> The scattered IP numbers suggests that they are not in one place.
> (Unless a relatively close router has been hacked and the IP numbers
> are being spoofed...)
>
>
> Have others been seeing this kind of thing in web server logs?
> I rather doubt that I've been singled out for special attention.  (^&
>
> (I have, in the past, seen a single IP number attempt to run a
> number of CGI scripts---variations on a theme, such as "formmail.pl",
> "formmail.cgi", etc.)

hi,

it's a worm/virus trying to attack your web server (IIRC there were a 
few weaknesses in 'formmail') -- in a kind of brute force attack, i.e. 
the attacker is trying regardless of formmail installed/running or not.

IIRC it was on an antivirus list a while ago, but i'm sorry not to have 
an URL handy.

after all, if you don't run a buggy version of formmail (or you don't 
run formmail at all), you can ignore these log entries safely -- like 
the other masses of attacks on Mickeysoft IIS ;)

-- 
mit vorzueglichster Hochachtung/best regards,

Timo Schoeler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | 
Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt