First attempted crack?
Since I’ve only had this site up for a few days, I still have fun looking at the access logs to see who is visiting. While perusing, I noticed a series of entries that looks like this:
65.239.144.231 - - [20/Jul/2002:23:32:27 -0500] “POST /cgi-bin/formmail.pl HTTP/1.0” 404 - “http://MATTHEWSIM.COM/contact.htm” “Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)”
The other URLs that he tried to access are /cgi-bin/formmail.cgi, /cgi-local/formmail.pl, /cgibin/formmail.pl, /cgi-local/formmail.cgi, and /cgibin/formmail.cgi. None of these exist on my site.
This looks like someone is trying to use my web site to send e-mail. formmail must be an easily-exploitable CGI that is often installed by default. Perhaps a spammer is looking for an innocent host to act as relay.
Using the Sarangworld Traceroute Project, I traced 65.239.144.231 to 1Cust231.tnt1.ladue.mo.da.uu.net, a UUNET customer in Ladue, MO.
I suspect this sort of thing happens all the time. As an experiment, I forwarded this information to UUNET’s security department and my web provider. I’ll let you know if I receive a reply.
Peter posted on 2002-07-22 (source):
Very funny is that I was experimenting at home with SMTP and relaying and left my server wide open. A couple days later, I'm trying to surf the latest NASCAR news and my connection is dead. I look at the modem and it is going crazy! Someone found my mail server with its open relay and was sending thousands of XXX emails! My little linux box did its best, but the maillog got full of "undeliverable mail" messages. I had to reboot. anything can happen on the net. pxg