|
Home > Archive > Email Abuse and Spam > February 2004 > [SPEWS/SBL] S822 clickMAN/ServerGod caught hacking formmail.pl
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[SPEWS/SBL] S822 clickMAN/ServerGod caught hacking formmail.pl
|
|
| Giblet - USA Resident 2004-02-29, 12:34 am |
| http://spews.org/html/S822.html
Formmail attacking from 64.89.16.34 under ClickMAN/ServerGod S822. This is
more than just the old formmail probe - this attempt was apparantly trying
to individually attack this (secure) formmail.pl with field overflows, etc.
I got a few dozen of these bounced back to the webserver postmaster account.
Notice the full message header fields being stuffed into the "From:"
address. No idea why.
========================================
==========
(Munged with 'x' and 'MYWEBSERVER' where necessary)
Return-Path: <postmaster@cx.com>
Received: from MYWEBSERVER (localhost.localdomain [127.0.0.1])
by MYWEBSERVER (8.12.8/8.12.8) with ESMTP id xxxxxx
for <support@x.com>; Sat, 28 Feb 2004 08:50:32 -0600
Received: (from nobody@localhost)
by MYWEBSERVER (8.12.8/8.12.8/Submit) id xxxxxx;
Sat, 28 Feb 2004 08:50:31 -0600
Date: Sat, 28 Feb 2004 08:50:31 -0600
Message-Id: <x@MYWEBSERVER>
To: support@x.com
From: "giveufun@aol.com To":
giveufun@aol.com.From:giveufun@aol.com.Subject:xxxxxxxxxxxxxxxxxxx
(xxxxxxx,email) (giveufun@aol.com To: giveufun@aol.com From:
giveufun@aol.com Subject: x(xxxxx,realname)xxx x xxxxxxxxx . )
Subject: Submission from feedback HTML form
X-Generated-By: FormMail.pl
X-Script-URL: http://www.x.com:80/cgi-bin/formmail.pl
X-Originating-IP: [64.89.16.34]
Content-Type: text/plain; x-avg-checked=avg-ok-71C8D2C; charset=us-ascii
Content-Transfer-Encoding: 8bit
Below is the result of your feedback form. It was submitted by
giveufun@aol.com To: giveufun@aol.com From: giveufun@aol.com Subject:
x(x,realname)xxxx xxx xxxxxxxxx . (giveufun@aol.com To: giveufun@aol.com
From: giveufun@aol.com Subject: xxx(xxxxxx,email)xxxx xxxxx
xxxxxxxxxxxxxxxxxx . ) on Saturday, February 28, 2004 at 08:50:24
---------------------------------------------------------------------------
company: giveufun@aol.com
To: giveufun@aol.com
From: giveufun@aol.com
Subject: x (xxxxxxxxx,company)PI
x xxxxxxxx xxxxxxxxxxxxxxxxxxxx
=====================================
Many attempts in the server logs. here's a few:
64.89.16.34 - - [28/Feb/2004:08:49:57 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:02 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:07 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:19 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:24 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:38 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
64.89.16.34 - - [28/Feb/2004:08:50:44 -0600] "POST /cgi-bin/formmail.pl
HTTP/1.0" 302 306 "http://www.x.com
| |
| bananananae 2004-02-29, 9:34 am |
| "Giblet - USA Resident" <usenetharvested@2mbit.com> wrote in message news:<5bOdnTFAhtKD7dzdRVn-sA@bright.net>...
> http://spews.org/html/S822.html
>
> Formmail attacking from 64.89.16.34 under ClickMAN/ServerGod S822. This is
> more than just the old formmail probe - this attempt was apparantly trying
> to individually attack this (secure) formmail.pl with field overflows, etc.
>
> I got a few dozen of these bounced back to the webserver postmaster account.
>
> Notice the full message header fields being stuffed into the "From:"
> address. No idea why.
>
> ========================================
==========
> (Munged with 'x' and 'MYWEBSERVER' where necessary)
>
> Return-Path: <postmaster@cx.com>
> Received: from MYWEBSERVER (localhost.localdomain [127.0.0.1])
> by MYWEBSERVER (8.12.8/8.12.8) with ESMTP id xxxxxx
> for <support@x.com>; Sat, 28 Feb 2004 08:50:32 -0600
> Received: (from nobody@localhost)
> by MYWEBSERVER (8.12.8/8.12.8/Submit) id xxxxxx;
> Sat, 28 Feb 2004 08:50:31 -0600
> Date: Sat, 28 Feb 2004 08:50:31 -0600
> Message-Id: <x@MYWEBSERVER>
> To: support@x.com
> From: "giveufun@aol.com To":
> giveufun@aol.com.From:giveufun@aol.com.Subject:xxxxxxxxxxxxxxxxxxx
> (xxxxxxx,email) (giveufun@aol.com To: giveufun@aol.com From:
> giveufun@aol.com Subject: x(xxxxx,realname)xxx x xxxxxxxxx . )
> Subject: Submission from feedback HTML form
> X-Generated-By: FormMail.pl
> X-Script-URL: http://www.x.com:80/cgi-bin/formmail.pl
> X-Originating-IP: [64.89.16.34]
> Content-Type: text/plain; x-avg-checked=avg-ok-71C8D2C; charset=us-ascii
> Content-Transfer-Encoding: 8bit
>
>
> Below is the result of your feedback form. It was submitted by
> giveufun@aol.com To: giveufun@aol.com From: giveufun@aol.com Subject:
> x(x,realname)xxxx xxx xxxxxxxxx . (giveufun@aol.com To: giveufun@aol.com
> From: giveufun@aol.com Subject: xxx(xxxxxx,email)xxxx xxxxx
> xxxxxxxxxxxxxxxxxx . ) on Saturday, February 28, 2004 at 08:50:24
> ---------------------------------------------------------------------------
>
>
> company: giveufun@aol.com
> To: giveufun@aol.com
> From: giveufun@aol.com
> Subject: x (xxxxxxxxx,company)PI
>
>
> x xxxxxxxx xxxxxxxxxxxxxxxxxxxx
>
> =====================================
>
>
> Many attempts in the server logs. here's a few:
>
> 64.89.16.34 - - [28/Feb/2004:08:49:57 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:02 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:07 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:19 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:24 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:38 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
> 64.89.16.34 - - [28/Feb/2004:08:50:44 -0600] "POST /cgi-bin/formmail.pl
> HTTP/1.0" 302 306 "http://www.x.com
Giveufun is an active AOL account. Be sure to CC AOL Legal who
already has an interesting file on SPEWS S822's nefarious activities
using *stolen* AOL accounts and spamming in AOL chat rooms and AIM and
email pr0n spam.
This group of AOL niche spammers *steals* AOL accounts with phishers,
chat room, AIM and email spams spams anyone who enters an AOL chat
room. They host pr0n sites on *stolen* AOL member home pages and have
an interesting connection with da.ru whre they have set up *humdreds*
of pr0n redirects.
<http://groups.google.com/groups?sel...0mb-m18.aol.com>
> Who is Kathleen Gunn and why is her name big penis?
> Domain: aimeecam2.da.ru
> Oh, look, another 100 pr0n sites on da.ru all pointing to biggererection.com
> Most likely spammy believes that this will protect his domain names from LARTS.
> These 100 sites were created on da.ru over 3 months ago by
> diplomats@mail.comhttp://www.naturalenlarge(1-100).da.ru/
> redirects to http://big.penis.name/
> which redirects to http://www.biggererection.com/ft=econ1431
They use send-safe.com spamware and are very easy to tract. Simply
enter any AOL lobby chat room and your screen name will be harvested.
29 hits just to banana traps.
<http://groups.google.com/groups?q=S...&sa=G&scoring=d>
This is the AOL member directory listing for Giveufun@aol.com
Name: john
Location: Ft Lauderdale Florida
Gender: Male
Marital Status: Single
Hobbies & Interests: Travel,Boating,Beach etc.
Favorite Gadgets: Dell
Occupation: self
Personal Quote: Live Life
They appear to have a 'special' relationship with da.ru, who ignors
abuse complaints. ls02.da.ru is theirs and has a long and sorted pron
spamming history.
Google Search: ls02.da.ru
Searched Groups for ls02.da.ru. Results 1 - 10 of about 16
http://groups.google.com/groups?hl=...le+Search&meta=
They are linked with numerous phishers and are linbked to the Rober
Swilley pron spammer/phisher and also have links to candidhosting.com
/ SPEWS S339 and charles charmatz and have hosted their spew with
SBL9517 Tubul / Marcin Dworak
They are *MAJOR* AOL spammers and account thieves.
Google Search: SPEWS S822 phisher
Searched Groups for SPEWS S822 phisher. Results 1 - 7 of about 10
http://groups.google.com/groups?hl=...G=Google+Search
These 'Clockwork Orange' chickenbones won't stop spamming and scanning
until they are incarcerated. And AOL just might do that for everyone
this year.
SuN
--
"Smile while you're making it,
Laugh while you're taking it,
Even though you're faking it,
No one's gonna know."
-Clockwork Orange
|
|
|
|
|