Andy Jacobs wrote:
>
> the other one that intrigues me is from the same address and that's the
> first one as it appears to be accessing a file that's outside of
> anything web accessible.
>
> I'm still interested in knowing if these are people trying to use the
> form from outside - i.e. through the browser, or whether the server has
> been compromised. The form2mail.php file was installed yesterday, went
> live with a new site on the domain this afternoon and was being used
> within a couple of hours. How could anyone find this file?

Does any of the publicly accessible pages have links to
the form?

The crackers are using Web crawler scripts which just
collect links to other pages referred to in the accessible
ones. It seems that your server has been catalogued with
a cracker and he's just looking how far he's able to
crawl inside your Apache.

I moved my Apache to a non-standard high port when I
got tired of the IIS buffer overflow crack attempts
in my log. It was nearly a megabyte a day, an attempt
used little over a kilobyte each.

---

I guess that there is a poor student at the university
hosting unknowingly a zombie. The admin may close him down,
but I doubt that the real culprit is there.

--

Tauno Voipio
tauno voipio (at) iki fi