Since I’ve only had this site up for a few days, I still have fun looking at the access logs to see who is visiting. While perusing, I noticed a series of entries that looks like this:
220.127.116.11 - - [20/Jul/2002:23:32:27 -0500] “POST /cgi-bin/formmail.pl HTTP/1.0” 404 - “http://MATTHEWSIM.COM/contact.htm” “Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)”
The other URLs that he tried to access are /cgi-bin/formmail.cgi, /cgi-local/formmail.pl, /cgibin/formmail.pl, /cgi-local/formmail.cgi, and /cgibin/formmail.cgi. None of these exist on my site.
This looks like someone is trying to use my web site to send e-mail. formmail must be an easily-exploitable CGI that is often installed by default. Perhaps a spammer is looking for an innocent host to act as relay.
Using the Sarangworld Traceroute Project, I traced 18.104.22.168 to 1Cust231.tnt1.ladue.mo.da.uu.net, a UUNET customer in Ladue, MO.
I suspect this sort of thing happens all the time. As an experiment, I forwarded this information to UUNET’s security department and my web provider. I’ll let you know if I receive a reply.