Exploited mail program/cgi??

[myrem]

I was watching the exim log when I saw these entries pop up:

------
2003-10-18 21:37:08 1AB2VI-00049o-KH <= chunsengchen@yahoo.com U=nobody P=local S=2025
2003-10-18 21:37:08 1AB2VI-00049p-Me <= chunsengchen@yahoo.com U=nobody P=local S=2374
2003-10-18 21:37:12 1AB2VI-00049p-Me mx2.mail.yahoo.com [64.157.4.78]: Connection refused
2003-10-18 21:37:13 1AB2VI-00049p-Me => chunsengchen@yahoo.com R=lookuphost T=remote_smtp H=mx2.mail.yahoo.com [64.156.215.6]
2003-10-18 21:37:13 1AB2VI-00049p-Me Completed
2003-10-18 21:37:14 1AB2VI-00049o-KH => chiewster@hotmail.com R=lookuphost T=remote_smtp H=mx2.hotmail.com [65.54.254.145]
2003-10-18 21:37:14 1AB2VI-00049o-KH Completed

------

Does this look to you as it does to me? That somebody just sent a test through a vulnerable mail program on my server??? User: nobody would be a script, yes?

How can I find what script they used?

[myrem]

more..

Found in the "nobody" relay log in WHM:

--------

Anyone have any ideas on how to track this down?

PHP Code:

Time Sent Message Id Sender Destination Size in Bytes 
2003-10-18 22:37:14 1AB2VI-00049o-K [email]chunsengchen@yahoo.com[/email] [email]chiewster@hotmail.com[/email] 2025 
2003-10-18 22:37:13 1AB2VI-00049p-M [email]chunsengchen@yahoo.com[/email] [email]chunsengchen@yahoo.com[/email] 2374 
2003-10-18 20:04:55 1AB07v-0001vh-S [email]chunsengchen@yahoo.com[/email] [email]day.chris@spartan.ab.ca[/email] 1507 
2003-10-18 20:04:54 1AB07v-0001vi-V [email]chunsengchen@yahoo.com[/email] [email]chunsengchen@yahoo.com[/email] 1851 
2003-10-18 19:48:14 1AAzrl-0001eb-R [email]chunsengchen@yahoo.com[/email] [email]day.chris@spartan.ab.ca[/email] 2479 


[markie]

Iam also seeing alot of these. You can find them if you click on View Relayers in WHM.

1 example.
2003-10-19 13:37:48 1ABJN2-0000e6-5 edfan@earthlink.net longlegs929@yahoo.com 1075