On Saturday 01 September 2001 04:50 pm, Soeren Ziehe wrote: > Hello incidents, > > while looking at our weblogs something caught my eye this week. > > There was an attempt to use a formmail perl script installed on our > server from a non-local address. > > A quick grep trough our weblogs for this month and back to the beginning > of this year revealed a ton of requests for the 20th this month and a > few requests on the 11th, 23th, 27th and 29th. > > OK. Here's the beef: > > I "censored" the last digits of the culprits IP address or the first > part of the culprits DNS name. Also [server] stands for the hostname of > my server. > > It all began on the 11th. > <snip> > IF you've stayed with me until here. Has anyone seen the same access > attempts patterns/tool signatures? > > Robinton formmail has a bug in it that allows anyone to use it as a mass spam mailer, update to the latest version to stop this from happening ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 13:40:02 PDT