Results 1 to 16 of 16
  1. #1

    Formmail.pl and Abuse

    Today when monitor my websites from different web hosts, I saw in the Error Logs that there was someone trying to access the cgi-bin/formmail.pl . Properly someone trying to abuse the system.

    Of course, in my situation, I do not have any CGIs to begin with. So they could not run any on my sites.

    I am not sure if I am the only one facing this but if not, and you are using formmail.pl, what steps are there to take to prevent any abuse of the system ?
    http://www.batchimage.com - Offering Batch Image Processing and TIFF/PDF Software Solutions

  2. #2
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,121
    If I read it correctly, your logs showed attempted accesses of a file that doesn't exist. They were trying to hit it by name. This is the first thing you can do do prevent abuse (simply rename the script). Servers and netwroks are scanned for the script name many times and while this isn't the only way to prevent abuse, it is the first thing I'd do.
    HostHideout.com - Where professionals discuss web hosting.

    Chicken

  3. #3
    Join Date
    Jan 2002
    Location
    Boston
    Posts
    5,010
    The best suggestion.. Dont allow users to use it.. but you do have to give an alternative if you do this.. there was a huge discussion on this a couple weeks ago do a search and you should find it..

  4. #4
    Originally posted by Chicken
    If I read it correctly, your logs showed attempted accesses of a file that doesn't exist. They were trying to hit it by name. This is the first thing you can do do prevent abuse (simply rename the script). Servers and netwroks are scanned for the script name many times and while this isn't the only way to prevent abuse, it is the first thing I'd do.
    Yup, currently there are no CGIs on my sites. So I guess there is no real problem here.

    Thanks for the tip.
    http://www.batchimage.com - Offering Batch Image Processing and TIFF/PDF Software Solutions

  5. #5
    Join Date
    Jan 2002
    Location
    Scotland, UK
    Posts
    2,687
    We have completely banned formmail.pl on our Linux system and are considering the same action on Windows. I would suggest looking at HotScripts.com if you need an alternative to formail.pl. A custom built PHP alternative can be made in a few lines of code.

    As for your problem with it showing in the logs Edwin, an error (404) has occurred so the server will log it If no error occurred the log wouldn't be made.
    Chris Adams - CEO - Rochen Ltd. - chris (at) rochen (dot) com

    Now offering both US & UK premium business hosting, reseller hosting and managed virtualized services.
    rochen.com | rochen.co.uk | blog.rochen.com | forums.rochen.com | Twitter: @rochenhost

  6. #6
    Join Date
    Apr 2001
    Location
    Boston Metro
    Posts
    345

    Re: Formmail.pl and Abuse

    Originally posted by eddy2099
    Today when monitor my websites from different web hosts, I saw in the Error Logs that there was someone trying to access the cgi-bin/formmail.pl . Properly someone trying to abuse the system.
    They were probably scanning for the Matt's Script Archive script that can be exploited and used as an open mail relay.

    But as long as you don't have that script, there's nothing they can do.
    http://forums.webhostdir.com/
    All your hosts are belong to us

  7. #7
    Join Date
    May 2002
    Location
    Michigan
    Posts
    1,799
    Yeah, I've been scanned for it lots of times.

    Thats why I always include a custom php "contact" page when I do a site for some one.

  8. #8
    Join Date
    Feb 2002
    Location
    Boston MA
    Posts
    245
    I had a problem with spammers using my clients formmail.pl. Well I sent out a mass email to all clients to rename it to anything other than formmail.pl for example contact.pl. Since the name changes of all formmails we have not had one issue. Spammers search for formmail and when it's found they do what they want. Try just renaming the file and see if the spam stops. Worked perfect for me.

  9. #9
    Join Date
    Feb 2001
    Location
    Singapore
    Posts
    241
    I uased another CGI script called Alienform for form processing, it does had a referrer field that only valid domain or IP can use the script

  10. #10
    Join Date
    Dec 2001
    Location
    Dallas, TX
    Posts
    344
    Even the latest version of FormMail has security holes... Hiding doesn't solve the problem, renaming it doesn't protect you. Only reasonable solution I see at this time is to ban it (hosts) or use another script (clients)...

    Over at AWH we regularly scan all our servers for the script and helps clients install a PHP form-to-mail script instead, such as:

    http://www.lumbroso.com/scripts/formmail.php

    we *did* have a spam incident through a clients FormMail... tricky part is the clients IP isn't in the mail header, just in the access_log for the site (if their logs are enabled)

    Let me know if anyone needs any help with this, I'd be glad to assist.
    Ronnie T. Moore, Founder/Owner
    AlwaysWebHosting.com Friendly, feature-packed Cpanel hosting, that can't be beat!
    cPanel 11 Fantastico Multiple-Domain hosting (Host up to 25 domains with one account!)
    Sales/Support via phone, email, help desk, forums, FAQ's, instant messenger, live chat

  11. #11
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,121
    One thing I haven't been able to figure out is why is a script (such as the one above) not vulnerable? I looked for alternatives however I couldn't determine this. If the one above is fine, then I'd suggest it to clients and use it...
    HostHideout.com - Where professionals discuss web hosting.

    Chicken

  12. #12
    If you want to aviod abuse b'cos of using formmail...use the formmail at NMS site.

    Infact matt himself recommends this script..b'cos it doesn't have the holes that matt's script has...!

    Check it out here :

    NMS FormMail

    Cheers

  13. #13
    Join Date
    Sep 2001
    Location
    Vienna, Austria
    Posts
    1,074

  14. #14
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    6,999
    A PHP formmail isn't necessarily more secure just because it's PHP. Use the NMS formmail, it's alot more secure though no formmail is or can be 100% secure. Use NMS and rename it. That's the solution to which we are encouraging our clients.
    Laurence Flynn @ atOmicVPS LTD
    Linux & Windows Cloud Hosting Solutions Powered by OnApp
    Fully Managed [Shared][Reseller][Cloud VPS] [Dedicated]
    Featuring the atOmicSTACK ● Speed ● Performance ● Reliability

  15. #15
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186
    If you are referring to the script at http://www.lumbroso.com/scripts/formmail.php
    , it IS vulnerable. It is trivial to use it to send unauthorized spam messages.



    Originally posted by Chicken
    One thing I haven't been able to figure out is why is a script (such as the one above) not vulnerable? I looked for alternatives however I couldn't determine this. If the one above is fine, then I'd suggest it to clients and use it...

  16. #16
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    The lumbroso one is a big gaping hole waiting for spam to be fed through, heck, I think even the original FormMail.pl is more secure.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •