Did it work?

No your logs show a 404 (file not found) so i doubt you even have it installed.

Why HEAD and not GET?

They're spamming scum, don't dote on such things for that way madness lies! :)

Most likely they are attempting to look for scripts without tripping too many alarms (since they think, wrongly, that people only check for GET & HEAD exploit attempts).

- Tony

Welcome to WebmasterWorld Helena :)

Pendanticist.

Thankyou :)

Do you have any tip on where to find information on how to interpret the log file and what the different codes (like 404) mean?

Helena

The official one is here;

[w3.org...]

Generally the first digit tells you the generic status;

2XX - Server gave some content to the user without issue
200 Success (client requested entire resource)
206 Success (client requested a range)

3XX - Resource has been moved, tell user new location
301 Moved permanently (go there now and next time)
302 Moved temporary (go there now, but come here next time)

4XX - There was a problem and it was the user's fault
400 Client didn't use the correct syntax
401 Client needs to authorise themselves
403 Not allowed to give client that resource
404 Cannot find the resource
406 Client doesn't userstand the resource

5XX - There was a problem and it was the server's fault
500 Server error

-Tony

Somebody was trying to find a hole on your web site so they can break in.

Apparently this guy failed because you don't have a FormMail script on
your site.

I've been seeing a lot of this in the last few days in my logs too, but I don't have the script either, They're also looking for dummy.pl in the same directory

You think they'd have better things to do!

Suzy

Somebody was trying to find a hole on your web site so they can break in.

Close but not quite...

If they really had found what they were looking for they wouldn't have used it to break into the site - they would have used it to send out junkmail via Helena's website.

Normally you'd be right in saying that script scanning is an attempt to crack the site but they went for formmail rather than trying more juicy scripts first which suggests they were after that and that alone - if you browse your logs from time to time you notice spammers doing this stuff a lot, often searching for pl and cgi with a mix of uppercase and lowercase filenames.

- Tony

These little twats that try to get the formmail really annoy me. I SO would like to get them into trouble.

Today for example, these entries were in the logfile:

212.54.0.24 - - [18/Feb/2003:11:29:47 +0000] "GET /cgi-bin/formmail.pl HTTP/1.0" 404 645 "http://wwWebmasterWorldebsite.net/" "-"

212.54.0.24 - - [18/Feb/2003:11:29:47 +0000] "GET /cgi-bin/formmail.cgi HTTP/1.0" 404 645 "http://wwWebmasterWorldebsite.net/" "-"

A search on Ripe Whois Database tells me the IP is owned by Elisa Internet Ltd in Finland (FI-KOLUMBUS-NET). A search on VisualRoute, a service that somehow tracks the IP yeilds zombiemud.megabaud.fi (in kolumbus.net). Im not 100% sure, but I think this could be the actual user...

What if I were to write to abuse@kolumbus.fi and report this looser? Is this a bad idea? Would I get more trouble than twisted malicious pleasure if I did that?

Helena

What if I were to write to abuse@kolumbus.fi and report this looser? Is this a bad idea? Would I get more trouble than twisted malicious pleasure if I did that?

Report each and every one of them. They are bottom feeders who sole purpose is to find vulnerabilities thru which to send UCE/SPAM.

Let no one disuade you.

Another thread:

CGI-BIN Formmail Queries <- I'm fighting with a major University
Are there "any" legitimate reasons for them? [webmasterworld.com]

I can't find this one - "UCE/SPAMers using Open Proxy..." where I mentioned closing two open proxies in a week.

The idea behind reporting these bottom feeders is keeping them busy jumping from ISP to ISP on a continual basis.

Do not disillusion yourself that these queries are not serious because they are...very serious. Especially if they find that vulnerability.

Makes no difference to me whether they were successful or not. The very fact that they tried was enough for me.

You can make a difference! Report them.

Pendanticist.