formmail abuse checking software

If you have a program or script that you'd like to give away or sell, this is the place to do it. All offers should include contact info.

Moderators: BBear, theunknownhost, flaguy

Post Reply
User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

formmail abuse checking software

Post by Arf » Wed Sep 17, 2003 4:38 pm

The following is a little program I whipped up to see if there are any particular IP addresses that are abusing or testing formmail. This program compiles a sorted list of IP addresses that have access formmail on your server so you can check for abuses. It will only list IPs that have attempted more than 2 times. Note: many formmail spider and scanner programs search for formmail.cgi etc. this program will count those too.

To set up the program, you have to run it in a cron as root or it won't be able to do it's job because of permissioning issues. Copy it to a cgi-bin, chmod 700, chown root. formmailipcheck.cgi. Then add this to your crontabs:

31 * * * * /home/$user/www/cgi-bin/formmailipcheck.cgi > /home/$user/www/formmailipcheck.html

This program will run every hour at the 31st minute and you can see the results by browsing over to the html file.

Code: Select all

#!/bin/bash

# formmailipcheck.cgi 2003 by Thomas Leo
echo ""
#echo "Content-type: text/html"
echo ""
echo "<HTML>"
echo "<HEAD>"
echo "<TITLE>formmail IP checker</TITLE>"
echo "</HEAD>"
echo '<BODY><font color="blue"><B>FORMMAIL IP CHECKER by Thomas Leo</B><HR>'
echo 'This program compiles a sorted list of IP addresses that have access formmail on your server  so you can check
for abuses. It will only list IPs that have attempted more than 2 times.  Note: many formmail spider and scanner
programs search for formmail.cgi etc. this program will count those too.<BR>'
echo "Server last checked on "`date`
echo "<BR><PRE><B>Quanity IP-Address</B>"
grep -h "cgi-sys\/formmail\." /home*/*/*-logs/access-log | cut -d' ' -f1 | uniq -c | sort | grep -v "^      [12]"
echo "</PRE><HR>"
echo "Thank you, Thomas."
echo "</BODY></HTML>"


The results look like this:
http://ez2ba.com/formmailipcheck.html

enjoy!

User avatar
nova
Hard Drive Crasher
Posts: 529
Joined: Sun Feb 13, 2005 10:20 pm
Location: Auburn, Massachusetts

Post by nova » Mon Feb 14, 2005 1:12 pm

Does this nice little script check for just the bad formmail or any version?

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Mon Feb 14, 2005 2:21 pm

It just checks for the term formmail in the access logs. It's an older script and could us some updating. I think I wrote it at a time when there was some insecurities in the server wide formmail script.

User avatar
nova
Hard Drive Crasher
Posts: 529
Joined: Sun Feb 13, 2005 10:20 pm
Location: Auburn, Massachusetts

Post by nova » Mon Feb 14, 2005 2:50 pm

OK. Thanks for letting me know.

User avatar
nada
Propeller head licensee
Posts: 85
Joined: Mon Aug 25, 2003 2:33 pm
Location: Cyprus, Lebanon, Nigeria

How to block the IP's that discovered by Formmail IPchecker

Post by nada » Wed Jun 14, 2006 9:56 pm

Hello

I ran this script and it showed me:

Quanity IP-Address
3 213.244.123.9
3 213.244.123.9

Does it mean that these IP's are using a formmail somewhere installed by a client?

How to I find that formmail to stop it and if I should block that IP, how should I do that.

Thanks

Rami
Rami El-Zein
admin@practicalhost.com
PracticalHost.com

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Thu Jun 15, 2006 3:05 am

Rami,
Yes, very likely. But it does not mean they are succeeding. It means they're trying. And this is a pretty old command. At the time this was written the cgi-sys form was vulnerable. Now it is not (as far as we know). Which leads me to the next command...

Try running this command to find out which logs the program found the attempts in:

Code: Select all

grep -h "/formmail\." /home*/*/*-logs/access-log | grep -v "cgi-sys" | grep -v "formmail.html"


This command eliminates the serverwide formmail. Now it "should" just show account level formmail scripts.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest