Possible spammer problem
07/12-14:09:16.754871 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:3845 -> 216.40.242.78:80
07/12-14:09:44.813499 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4189 -> 216.40.242.78:80
07/12-14:10:11.433609 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4533 -> 216.40.242.78:80
07/12-14:10:39.523256 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4879 -> 216.40.242.78:80
07/12-14:09:44.813499 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4189 -> 216.40.242.78:80
07/12-14:10:11.433609 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4533 -> 216.40.242.78:80
07/12-14:10:39.523256 [**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 151.197.244.196:4879 -> 216.40.242.78:80
However, in Pine I saw a lot of Undeliverable: Unknown User emails from today. For example:
Date: Sat, 12 Jul 2003 06:54:35 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
To: apache@ns1.square-network.com
Subject: Returned mail: User unknown
Parts/Attachments:
1 Shown 40 lines Text
2 Shown 759 bytes Message, "Delivery Status"
3 Shown 886 bytes Message, "What you been up to?"
3.1 Shown 3 lines Text
----------------------------------------
The original message was received at Sat, 12 Jul 2003 06:54:30 -0400 (EDT)
from ns1.square-network.com [216.40.242.200]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<bbyblujane@aol.com>
<bbyblujbug@aol.com>
<marchfarm@aol.com>
----- Transcript of session follows -----
... while talking to air-yb04.mail.aol.com.:
>>> RCPT To:<marchfarm@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <marchfarm@aol.com>... User unknown
>>> RCPT To:<bbyblujbug@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <bbyblujbug@aol.com>... User unknown
>>> RCPT To:<bbyblujane@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <bbyblujane@aol.com>... User unknown
[ Part 2: "Delivery Status" ]
Reporting-MTA: dns; rly-yb05.mx.aol.com
Arrival-Date: Sat, 12 Jul 2003 06:54:30 -0400 (EDT)
Final-Recipient: RFC822; bbyblujane@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
Final-Recipient: RFC822; bbyblujbug@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
Final-Recipient: RFC822; marchfarm@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
[ Part 3: "Included Message" ]
Date: Sat, 12 Jul 2003 06:58:43 -0500
From: Marian35372_17693@hotmail.com
To: bbyblujane@aol.com, bbyblujbug@aol.com, bbyblujewl@aol.com, marchfarm@aol.com, bbyblujt81@aol.com
Subject: What you been up to?
QvLXPiAvup1353: <a href="http://go.msn.com/0000/5/12.asp?target=http://members.aol.com/sutherntwang">This is my very VERY
personal webcam, please tell me what you think.
realname: Cody
From: Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
To: apache@ns1.square-network.com
Subject: Returned mail: User unknown
Parts/Attachments:
1 Shown 40 lines Text
2 Shown 759 bytes Message, "Delivery Status"
3 Shown 886 bytes Message, "What you been up to?"
3.1 Shown 3 lines Text
----------------------------------------
The original message was received at Sat, 12 Jul 2003 06:54:30 -0400 (EDT)
from ns1.square-network.com [216.40.242.200]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<bbyblujane@aol.com>
<bbyblujbug@aol.com>
<marchfarm@aol.com>
----- Transcript of session follows -----
... while talking to air-yb04.mail.aol.com.:
>>> RCPT To:<marchfarm@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <marchfarm@aol.com>... User unknown
>>> RCPT To:<bbyblujbug@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <bbyblujbug@aol.com>... User unknown
>>> RCPT To:<bbyblujane@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <bbyblujane@aol.com>... User unknown
[ Part 2: "Delivery Status" ]
Reporting-MTA: dns; rly-yb05.mx.aol.com
Arrival-Date: Sat, 12 Jul 2003 06:54:30 -0400 (EDT)
Final-Recipient: RFC822; bbyblujane@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
Final-Recipient: RFC822; bbyblujbug@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
Final-Recipient: RFC822; marchfarm@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yb04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sat, 12 Jul 2003 06:54:34 -0400 (EDT)
[ Part 3: "Included Message" ]
Date: Sat, 12 Jul 2003 06:58:43 -0500
From: Marian35372_17693@hotmail.com
To: bbyblujane@aol.com, bbyblujbug@aol.com, bbyblujewl@aol.com, marchfarm@aol.com, bbyblujt81@aol.com
Subject: What you been up to?
QvLXPiAvup1353: <a href="http://go.msn.com/0000/5/12.asp?target=http://members.aol.com/sutherntwang">This is my very VERY
personal webcam, please tell me what you think.
realname: Cody
Jul 12 06:58:43 ns1 sendmail[25043]: h6CBwhj25040: to=bbyblujane@aol.com,bbyblujbug@aol.com,bbyblujewl@aol.com,marchfarm@aol.com,bbyblujt81@aol.com, ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150413, relay=mailin-01.mx.aol.com. [205.188.156.122], dsn=2.0.0, stat=Sent (OK)
Can anyone help out and tell me what I'm missing here and where exactly I need to look to track down to see if there is a spamming site on this server?
