On Fri, Sep 24, 2004 at 09:04:51AM +0200, Timo Sch?ler wrote:
> >This seems like the most informative group to ask about this.  The 
 [...]
> hi,
> 
> it's a worm/virus trying to attack your web server (IIRC there were a 
> few weaknesses in 'formmail') -- in a kind of brute force attack, i.e. 
> the attacker is trying regardless of formmail installed/running or not.

Thanks.

Usually it's a spammer who tries to discover an open relay, and addresses
the mail back to himself/herself/itself as "rockstar".  I'm told that
it ("rockstar") is a somewhat well-known spammer.

If it's a worm/virus, why are multiple, physically separate,
computers targeting my system at the *same* time?  Is that a quirky
feature of the worm?



 [...]
> after all, if you don't run a buggy version of formmail (or you don't 
> run formmail at all), you can ignore these log entries safely -- like 
> the other masses of attacks on Mickeysoft IIS ;)

I don't run formmail, or any of the other scripts that they tried to
use (enquiry.pl etc.).  My web server presently serves only static
files.  I have been thinking about setting up PHP for some fun,
though.

But these attempted hacks spam my logs, so when I tend to blacklist
the IP number from future access to the server.  (^&  My ipf rules
grow ~daily (usually due to email spammers, but sometimes due to
viruses and hackers).

It's not a perfect defense, but it helps.  Some of the less bright
viruses can try to hit my mail server in 10,000 to 20,000 times in
a single week from a single source.  Why do I need that in my logs?
(^&


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/