I had the following show up in my access log this morning:

IP Address: 200.83.0.201
Time: 29/May/2003:03:42:41 -0700

Tried to access nonexistant files:

"POST /cgi-bin/FormMail.pl HTTP/1.1"
"POST /cgi-bin/form.pl HTTP/1.1"
"POST /cgi-bin/formmail.pl HTTP/1.1"
"POST /cgi-bin/Mail.pl HTTP/1.1"
"POST /cgi-bin/Form.pl HTTP/1.1"
"POST /cgi-bin/mail.pl HTTP/1.1"

Not sure what it means, what they were trying to do but thought I should let someone know.

IP belongs to someone in Santiago, Chile...

Not sure what it means, what they were trying to do but thought I should let someone know.

This is a frequent occurence. They're just scanning your site to see what files they can find. I receive these all the time,, looking for Microsoft Office programs,,, forms,,,, music, etc.

I use zone alarm to protect my system,. and also use 2 anti-virus programs that run all the time. Just protect yourself and you won't have anything to worry about.

But don't worry about what you see. It's not a big deal.

Sandy

Not hacker, spammer. They're looking for insecure FormMail scripts that they can hijack to send spam. It has nothing to do with your local PC.

If you want to use a FormMail script, use PowWeb's central script, or install your own that has the security fixes applied to it and call it something unusual so the spammers can't find it.

The scans looking for Microsoft Office programs are hackers trying to exploit holes in Microsoft's web server software. PowWeb, running FreeBSD, doesn't have this particular vulnerability. But even if it did, they're attacking PowWeb and not your own computer.

That's pretty much what I thought it was: spammer.

I knew it had nothing to do with my local PC and figured that powweb probably already had some way to protect themselves against it but felt obligated to mention it!

Thanks for the 411 !

Please forgive my ignorance, but is the nms formmail revision one that has the necessary security fixes? Documentation says it is nms Formmail Version 1.00 (cvs v1.87). I don't want to have something on the server that will cause problems. Thanks in advance for the help.

I don't know that one. I use ftp://ftp.monkeys.com/pub/formmail/1.9s/FormMail.pl

Whatever you use, DON'T call it "formmail" or "form" or "mail" - rename it to be something specific to your domain. Just use the same name in your web page that refers to it.