1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone trying to get to my cgi-bin/formmail

Discussion in 'Bits & Bytes' started by Sharondippity, Dec 19, 2002.

  1. Sharondippity

    Sharondippity Sweetness and Light

    I noticed on my webalizer stats for my website that someone had a 404

    Host: 24.166.67.119
    Url: /cgi-bin/formmail.cgi
    Http Code : 404
    Date: Dec 19 12:22:47
    Http Version: HTTP/1.0 Size in Bytes: -
    Referer: http://www.sharondippity.com/

    Their IP resolves to RoadRunner.

    Now I don't use or have formmail, so that's why it 404'd. But if I DID have that, what would they have been able to do? What were they looking for?
     
  2. Techie2000

    Techie2000 The crowd would sing:

    I'd guess it's a spam bot. More info on formmail.cgi can be found by <A HREF=http://www.scriptarchive.com/formmail.html>clicking here</A>.
     
  3. Copzilla

    Copzilla dangerous animal Staff Member

    They were checking to see if you had one, and if you did, see if they could hijack it to send spam.

    I have formmail installed on my domain, but it's locked out from outside domains.

    Older versions or unsecured versions of formmail allow outside domains to post to it, basically allowing them to use Sendmail from your server. Poof, no SMTP activity on their end, no problem.
     
  4. Sharondippity

    Sharondippity Sweetness and Light

    Thanks for the link Techie
     
  5. Sharondippity

    Sharondippity Sweetness and Light

    Can this be true?

    The latest IP to snoop for a formmail was listed as :

    Querying whois.arin.net with "206.74.121.69"...

    Info Avenue Internet Services, LLC IAVE-4 (NET-206-74-0-0-1)
    206.74.0.0 - 206.74.255.255
    Lexington City Middle School SB-206-74-121 (NET-206-74-121-0-1)
    206.74.121.0 - 206.74.121.255

    # ARIN Whois database, last updated 2002-12-22 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.

    Querying whois.arin.net with "!NET-206-74-121-0-1"...

    OrgName: Lexington City Middle School
    OrgID: LCMS

    NetRange: 206.74.121.0 - 206.74.121.255
    CIDR: 206.74.121.0/24
    NetName: SB-206-74-121
    NetHandle: NET-206-74-121-0-1
    Parent: NET-206-74-0-0-1
    NetType: Reassigned
    Comment:
    RegDate: 1996-05-09
    Updated: 1996-05-09

    TechHandle: TRM3-ARIN
    TechName: McKee, Timothy
    TechPhone: +1-803-802-4600
    TechEmail: mckee@admin.infoave.net



    Now is it likely that the IP is a spoof, and they're able to use a cloak of some type?
     

Share This Page