Spam Trap?

Posted: Fri Sep 03, 2004 6:09 pm

I'm seeing a lot of these bogus spam hunter type requests.
/cgi-bin/formmail.pl
/cgi-bin/mailform.pl
/cgi-bin/FormMail.pl
/mail.cgi
/cgi-bin/fmail.pl
/cgi-bin/form.cgi
/cgi-bin/contact.pl
/cgi/formmail
/cgi-bin/mail.cgi

Does anyone have an effective strategy for dealing with these? I'd guess that like other non existing files Apache is giong to grab them and send out a 404 response. I'm thinking something like a nifty quick and dirty Perl script to slow them down. Any ideas?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I've been getting them alot lately too. Here's what I've done. I made a honeypot, so to speak, in the cgi-bin so that Apache will let them through. Then I added the URI string to NukeSentinel™ and appropriate action is taken. I'm not too sure it's as innocent as just Spam. Those programs are security risks in other ways if they haven't been upgraded.

registered · Posted: Fri Sep 03, 2004 8:05 pm

Would simply love it if you could PM me the details of this honey pot and instructions on how to secure myself and my server for those sorts of things as well. Purty please? Wink

Posted: Fri Sep 03, 2004 8:15 pm

Actually, forget I said that. I started down that path and then it dawned on me that they would have to hit my nuke site before Sentinel would take over. So, I have it on my list of things to do, using mod_rewrite to redirect them to an appropriate RETALIATION. That's right all you cry babies out there. I RETALIATE, GET EVEN, SEEK and DESTROY. I plant BOMBS in my responses that not only hang their PC's, it infects them with a virus that is so deadly it passes to the human body through osmosis from the mouse. Once it enters the body it's only a few minutes before their kiddie brain implodes and they look like this

Disclaimer: Any resemblance to anyone you know is purely intentional! ROTFL

Posted: Fri Sep 03, 2004 8:32 pm

Here you go! Place this code in your cgi-bin as long as you aren't using it for anything, which I am not. I have this in all my cgi-bin folders.

Code:

RewriteEngine On


RewriteCond %{REQUEST_URI} "/cgi-bin/.*$" [NC]


RewriteRule ^(.+) http://your_domain.com/abuse/abuse.html

Obviously you replace your_domain and whatever abuse script you want Wink

If you do use yours, then just make the checks for specific URI's.

Posted: Fri Sep 03, 2004 8:37 pm

Speaking of plants and such. Here is a little twist on the NC Beta 6.5 script emailsforyou.php (Resembles Allevons work not sure?)
[ Only registered users can see links on this board! Get registered or login! ]

I don't know if there is much point to it but it will keep em busy for a while.

A side twist to the evil plot I name it index.php and put it in my /abuse/ directory after I added /abuse/ to the robots.txt
Disallow: /abuse/

Not an extremely effective tool in and of itself but I thought it might give some spam bots that aren't in the Harvester list more to do then just parse my site. Then I tossed in a link to /abuse/abuse.html just chits and giggles no clue where it might turn up.

If you'd like to see what it does just upload it and visit it on your server its a perfectly harmless page other then it takes a little time to render the 1001 email links per loop. I put some short long sleep commands in between to keep the stress on resources down to a minimum.

Posted: Fri Sep 03, 2004 9:13 pm

Raven wrote:

Here you go! Place this code in your cgi-bin as long as you aren't using it for anything, which I am not. I have this in all my cgi-bin folders.

Code:

RewriteEngine On


RewriteCond %{REQUEST_URI} "/cgi-bin/.*$" [NC]


RewriteRule ^(.+) http://your_domain.com/abuse/abuse.html

Obviously you replace your_domain and whatever abuse script you want Wink

If you do use yours, then just make the checks for specific URI's.

Would the skiddies/spammers even be affected by the above sample code since most are prolly sending test email messages via a bot/script that does NOT even load the page? The skiddies/spammers would have to try to load these *mail scripts using a browser in order to be "abused" themselves, correct? Or am I off base here?

For other formmail-traps, here are a couple courtesy of google: 1) http://www.meow.org.uk/stan/pet_projects/honeypot.html 2) http://void.thunderteam.org/fm-trap.html

Posted: Fri Sep 03, 2004 9:35 pm

Part of the idea is to deny access and the other part is to allow for easier tracking. No doubt something better could be done but these are very quick on the fly solutions.

Another would be to add abuse/abuse.html to the String blocker so we'd get a notification when it is directly accessed.
Edit: Accept that doesn't work! Grr!
I think we need a portable ban/notify page or something. Oh yeah Hack Alert Doh! Wink

Posted: Fri Sep 03, 2004 9:51 pm

Also note [ Only registered users can see links on this board! Get registered or login! ]

Posted: Fri Sep 03, 2004 10:10 pm

The last update was from 2002 on that exploit. Is that still correct? One would think that in 2 years this would have been resolved. And Six is correct. All I intended to do was to give you hackers (not crackers) a starting point.

I'm still in shock that no one, not even SmackDaddy, has replied to my 'retaliation' post. I really though it was funny. Guess I better get back on my meds ....

Posted: Sat Sep 04, 2004 5:04 pm

Yeh its old but I would imagine there are still some of em around.

I think for the most part we all took the retaliation thread at face value. I have no love for these guys out there hunting to upload bots an such so they can DoS attack "innocent servers" its gotten out of hand.

It is time to fight back. I know when nimda was running wild there was a number of "fight back scripts" some that went so far as to remotely file browse the infected machines. I don't think there is anything wrong with protecting your machine or with hacking a zombie to let the admin/owner know they need to address the issues.

I used to capture packets and send out attention admin letters but it was kind of point less. One in about 50 would even make it to the user with the infected machine. The few that did were usually small offices running servers that didn't even realize the machine in question was connected to the internet. It just blows my mind the stuff that goes on out there.