Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.

mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail


#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

Great How-to Matt!

Cpanel uses Exim not Sendmail would still work?

Yes, this is intended for cPanel, one quick correction:

mv /usr/sbin/sendmail /usr/sbin/sendmail2

Should be:

mv /usr/sbin/sendmail /usr/sbin/sendmail.real

I'd also just like to reiterate I'm not the author of the script, I merely tweaked it so I could catch PHP nobody senders.

Originally posted by MattF
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
chmod 777 /var/log/formail


Needs to be:

pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail
chmod 777 /var/log/formmail

Should it also be formmail.log instead of just formmail? Nothing is being posted in the formmail file.

Originally posted by MattF
echo > /var/log/formmail
chmod 777 /var/log/formail


I was able to get it to work by changing it to

echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log

Pretty nifty!

Just what I've been looking for, thanks!

(Working on a Plesk server to monitor Perl, mostly)

Nice howto.

Good idea! thanks

Come to think of it. Will this script break MailScanner or CGI files that use sendmail?

I am having an issue with putting this in. We have used MailMon for ages, but it adds load.

R=sa_localuser T=local_sa_delivery: Child process of local_sa_delivery transport returned 127 (could mean unable to exec or command does not exist) from command: /usr/sbin/sendmail

Why chmod 777? Couldn't you chmod 700 for better security?

and exim mail server?

looks like its is usefull , may i ask what is <STDIN> ???

Anybody know what this means? It prevents my scripts from sending.
Tue Jul 13 18:55:33 EDT 2004 - /home/myacct/public_html/accounts - nobody x 99 99 Nobody / /sbin/nologin

thanks,

This script was working with old Exim versions only, after some Exim update it stopped to work.
Also it show only script path as useful information, and hackers can simply use chdir php function before mail() so it will show some tmp directory always.

If somebody can update this script to work with current Exim version would be great.

However this soultion is only partly, the real solution is to patch php source code - to print mail function script name caller each time it is executed.

yeah. Why chmod 777? That's a bit risky.

pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail


Shoudl that not be

pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail

Originally posted by AcuNett
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail


Shoudl that not be

pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail

It all depends on where it is installed... Technically it could be installed anywhere.

Here is matt's code updated.

It's worked splendidly on cpanel and plesk servers. Thanks Matt

mv /usr/sbin/sendmail /usr/sbin/sendmail.real
pico /usr/sbin/sendmail

put in:

#!/usr/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);


save and exit

chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formail.log

Thanks much!

Originally posted by AcuNett

chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formail.log

Note that it should read: chmod 777 /var/logs/formmail.log (with two M's)

Originally posted by uneedawebsit
Note that it should read: chmod 777 /var/logs/formmail.log (with two M's)

Probably more like

chmod 770 /var/logs/formmail.log or

chmod 750 /var/logs/formmail.log or even better

chmod 700 /var/logs/formmail.log

it's not working on my server...
the script logs, but doesn't send the E-Mail
probably because of that:

root@server01 [/usr/sbin]# ./test
Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,
not directly from a shell command line. Options and/or arguments control
what it does when called. For a list of options, see the Exim documentation.

suggestions?

Originally posted by Lem0nHead
it's not working on my server...
the script logs, but doesn't send the E-Mail
probably because of that:



suggestions?

did you think about tailing the exim_mainlog? it works fine with exim

Originally posted by thelinuxguy
did you think about tailing the exim_mainlog? it works fine with exim

i tailed it and it doesn't show the E-Mail being sent

what I got from my debug:

running the tweaked sendmail script from shell, with parameters "-t -i" to the real sendmail will work
but when I set this script as the default one (/usr/sbin/sendmail) it stop working... even a simple script like:
my $mailprog = '/usr/sbin/sendmail.real';
$arg = "-t -i";
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
print MAIL "From: test\@domain.com\n";
print MAIL "To: test\@domain.com\n";
print MAIL "Subject: test\n\n";
print MAIL "testing";
close(MAIL);

exit;

it doesn't even depends on parameters passed, so I guess the problem is the way it's being called...

but I know the script IS being in fact run (it's not a problem with the permissions of the tweaked script)...

weird...

it's not working on my server...
the script logs, but doesn't send the E-Mail


Same thing here on a test server.
After I did the instructions for cPanel (Running FreeBSD OS) sending mail with user nobody stopped working.

Anyone know whats wrong?

Would have edited but it's over 15 minutes.

Exim is failed after doing this

Decided just to update exim through SSH.
Fixed the problem but don't have the script working now.

Thanks anyway

Originally posted by Lem0nHead
i tailed it and it doesn't show the E-Mail being sent
Same thing here. Anybody get this to work?
Thanks

Hi everbody,

Sorry to break into but i am facing a similar issue,but the spammer is using some other different method.The mails leaves the server as from apache@server.com.Cud anybody help me out???

regards

Kris

Does anybody know how to modify this script so that it will log the actual email message. I realize that would make a large file, but would make it easy to track down specific spam.

The logging could be controlled by a flag so it only happens when you need it for tracinig an email source.

Originally posted by Dacsoft
Does anybody know how to modify this script so that it will log the actual email message. I realize that would make a large file, but would make it easy to track down specific spam.

The logging could be controlled by a flag so it only happens when you need it for tracinig an email source.

you could rotate logs
or use a "flag" like a rename program
where you can put the real sendmail or the one that log

Originally posted by Lem0nHead
you could rotate logs
or use a "flag" like a rename program
where you can put the real sendmail or the one that log I agree. I just don't know enough perl to do it. I am working on it now though. We shall see.

Originally posted by rnRobert
Same thing here on a test server.
After I did the instructions for cPanel (Running FreeBSD OS) sending mail with user nobody stopped working.

Anyone know whats wrong?
Same problem here. Anyone get it working?

Originally posted by v-rod
Same problem here. Anyone get it working?

I just found that it will fail on my servers if I change the permisisons to 750 or 700, but works fine with 777 as originally posted.

They can still relay /usr/sbin/sendmail.real then?

Thanks.

i can't use this script with new exim!!
it can send emails directly but it can't send emails that sends from PHP. sending emails would record some logs, but no emails send out.

thanks a lot.

I'm not so excited about this mod. It doesn't catch spammers in certain types of situations (which I prefer not to make public here, PM me if you have to know!) - and those situations are, I would think, pretty common if Mr/Mrs Spammer is smart.

Cheers, Brian

sorry brianoz...
i can't send PM or email to you from this forum.... can you contact me?
info (a-t) oxygenws.com

Hello
Thank you for guids
this code didn,t work for me too !
I have written a new code with php that work better.
you can see:

http:[//] forums.cpanel.net/showthread.php?p=162882#post162882

for more information.I will be pleased if you can help to solve my code's problems.

I implemented the following script without any problem with cpanel and every thing seems working fine including webmails.



#!/usr/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;

foreach (@ARGV) {
$arg="$arg" . " $_";
}

#$msg=\*STDIN;

open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD $SCRIPT_NAME - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.hidden';


open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

I tried all the scripts, but only this one is working (I think this is yours noorolhoda):

#!/usr/bin/php -q
<?php
$get='';
$arg='';
error_reporting(0);

$fp = fopen("php://stdin", "r");
while(!feof($fp)) $get .= fgets($fp,1094);
fclose($fp);

for($i=0; $i<$argc; $i++) $arg .=' '.$argv[$i];

### AntiAbuse
$log=date('Y-m-d-H:i:s-').$_SERVER['SCRIPT_FILENAME']."\n";

### End
$fp=fopen('/var/log/logfile','a');
fwrite($fp,$log);
fclose($fp);
$fp = popen("/usr/sbin/sendmail $arg",'w');
fputs($fp,$get);
pclose($fp);
?>

All my mails are working, but when I checked on /var/log/logfile, it is still empty. As I understood, correct me if I'm wrong, all mails will be logged to /var/log/logfile with the data of $log.?

Thanks

Hello
Do you Chmode the log file to 777 ?

Hi,

Yes I chmod it to 777. I even confirmed it yesterday. But the file is empty. I already changed the settings on my php.ini to use phpsendmail. What seems to be the problem? Is there a way to know if really phpsendmail is being run first?

Thanks

Hi,

I checked the file again today, and it is not empty anymore. But the only content per line is date and time. What do you think is the problem?

Thanks
Charles

Originally posted by pwh
Hi,

I checked the file again today, and it is not empty anymore. But the only content per line is date and time. What do you think is the problem?

Thanks
Charles
Hi
Try below Code:

#!/usr/bin/php -q
<?php
$get='';
$arg='';
error_reporting(0);

$fp = fopen("php://stdin", "r");
while(!feof($fp)) $get .= fgets($fp,1094);
fclose($fp);

for($i=0; $i<$argc; $i++) $arg .=' '.$argv[$i];

### AntiAbuse
$chd=$GLOBALS['PWD'];
$log=date('Y-m-d-H:i:s-').$chd."\n";

### End
$fp=fopen('/var/log/logfile','a');
fwrite($fp,$log);
fclose($fp);
$fp = popen("/usr/sbin/sendmail $arg",'w');
fputs($fp,$get);
pclose($fp);
?>

Thanks. I just replaced the code. I'll just wait for a while to look on the logs.

Thanks again.

Originally posted by pwh
Hi,

I checked the file again today, and it is not empty anymore. But the only content per line is date and time. What do you think is the problem?

Thanks
Charles Better run a test email. Whenever I saw that type of entry in the log, it meant the entire email was empty.

Originally posted by noorolhoda
Hi
Try below Code:

#!/usr/bin/php -q
<?php
$get='';
$arg='';
error_reporting(0);

$fp = fopen("php://stdin", "r");
while(!feof($fp)) $get .= fgets($fp,1094);
fclose($fp);

for($i=0; $i<$argc; $i++) $arg .=' '.$argv[$i];

### AntiAbuse
$chd=$GLOBALS['PWD'];
$log=date('Y-m-d-H:i:s-').$chd."\n";

### End
$fp=fopen('/var/log/logfile','a');
fwrite($fp,$log);
fclose($fp);
$fp = popen("/usr/sbin/sendmail $arg",'w');
fputs($fp,$get);
pclose($fp);
?>

My mails are not working on this new code. :( So, I don't have a choice but to use the old sendmail again....

Hello
I think you shoud make your own code like me! ;)
If you play with this code and debug it, it will work for you.
some time a little changes are very usefull.
as you told this code log the time , so it means the code have worked.
so you need some little change on this code for your own server.

:)

This is great, just have to figure out a way to rotate the log file as it'll get way too big.

Originally posted by Hoobastank68
This is great, just have to figure out a way to rotate the log file as it'll get way too big.
Seems like there are multiple scripts offered. Which one did you use that is working great?

Originally posted by Dacsoft
Seems like there are multiple scripts offered. Which one did you use that is working great?

Trying out this one working good
http://www.webhostgear.com/232_print.html

Just need to rotate logs.

have a crontab that copy the log to log.ddmmyy and then cat's /dev/null into it to empty it either on daily or weekly basis or monthly

This works like a charm :) Thanks a bunch Matt & Bashar

Originally posted by Bashar
have a crontab that copy the log to log.ddmmyy and then cat's /dev/null into it to empty it either on daily or weekly basis or monthly
How do you get your crontab to automatically replace the ddmmyy in log.ddmmyy (to copy the log on a daily basis, for example)?

OK.
FOR NEWBEES, I CORRECTED THE SCRIPT AND CHANGED IT FOR CPANEL. THE SCRIPT ITSELF IS WORKING FINE,BUT THERE IS LOTS OF TYPOS.

This is what you need to do (Assuming that you are running cpanel and sendmail is located in /usr/sbin/sendmail ):

-------------
cd /usr/sbin
mv /usr/sbin/sendmail /usr/sbin/sendmail.real
pico /usr/bin/sendmail ( If you get error message , use 'nano' instead of pico )

<Now, copy/paste the script to the window>. Save and Exit.
ls sendmail* (it should return two files, sendmail and sendmail.real ) If not, you didnt' save the fiel in the previous step)

chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log

<I would also recommend to restart exim: >
/scripts/restartsrv exim
============
Now, all the requests are logged to /var/log/formmail.log, so in order for you to see the content, you can use 'cat' or 'nano' or 'pico' or 'vi', or whatever you want. First see if the log file is created:

cd /var/log/
ls formmail* (you should see formmail.log here. If not, wait a bit and try again. If you still don't see, something is not correct)

cat formmail.log ( Here you'll see the content of formmail.log which should give you a clue on the directory the nobody email was executed from).

Once you find the directory of that email, you can look into the user list and scr#w that user

================
BACKOUT PROCEDURE

In case your script end up not to work, use the following procedure to backout


cd /usr/sbin
mv /usr/sbin/sendmail /usr/sbin/sendmail.bad
mv /usr/sendmail.real /usr/sendmail
/scripts/restartsrv exim

Now everything should have gone back to normal.

we are using this script on our hosting and i have caught three spamers so far :)
================


Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.

mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail


#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

Does anybody know how to modify this script so that it will log the actual email message. I realize that would make a large file, but would make it easy to track down specific spam.

The logging could be controlled by a flag so it only happens when you need it for tracinig an email source.

just add:
print INFO;
in
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
print INFO;
}

it will save whole email with headers in log file

just add:
print INFO;
in
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
print INFO;
}

it will save whole email with headers in log file
what a great addon! :gthumb:

Once you find the directory of that email, you can look into the user list and scr#w that userOnce you find the account the spammer is using, what action do you recommend? Usually they are using the account of an unsuspecting, legitimate client. So what do you do to stop the spam without hurting the client?

More important to me, what do you do to PREVENT the spammer from doing it again?

1. check who is sending it(client or not)
2. :uzi: disable spamming script
3. if client - terminate account, if client is exploited warn him

Hello John,

Well, that would depend. If you find a spammer and you know this is your real customer, you usually want to send them an email informing them that you have identified that they are spamming and that their account will be suspended if they continue... If it happens again, then suspend.

On the other hand, if you see your server is slowing down because of the spam, you want to suspend that account first, then try to contact the owner so other users won't be affected.

One note though. It's not always the user that is spamming. Sometimes a poor coding can allow others to abuse the page (e.g. poor php forms to send spam). However, keep in mind that users are responsible for their code not the hosting provider.

Thanks,
BillW


Once you find the account the spammer is using, what action do you recommend? Usually they are using the account of an unsuspecting, legitimate client. So what do you do to stop the spam without hurting the client?

More important to me, what do you do to PREVENT the spammer from doing it again?

Any one have found this script working with Plesk servers?

Just what I've been looking for, thanks!

(Working on a Plesk server to monitor Perl, mostly)

Have you got this working for Plesk server?

Hi,
Not works on Plesk Freebsd, even sendmail failed. Php can't send any email when i tried this, change the sendmail again to makes sendmail working.

OK. I got this working on Plesk RH

NightMan, any idea why it's not work only freebsd? I've a lot of localhost spam use php/apache to send huge spam...

I followed install instuctions, but i cant send emails using the script for sending emails. Logging is fine, but nobody emails never arrive.
Like other cpanel server I'm using exim as sendmail. I guess it cant be run from the console correct ?

NightMan, any idea why it's not work only freebsd? I've a lot of localhost spam use php/apache to send huge spam...

I guess you have to edit the script to adapt it on a FreeBSD. the path and other stuff may not be the same.

I'm not on freebsd, i'm using RH3 Enterprise.
All path's are correct.
If i call the script using console, it calls sendmail. Here's the output

Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,
not directly from a shell command line. Options and/or arguments control
what it does when called. For a list of options, see the Exim documentation.

How do I reverse this? It seems to be blocking legitimate emails

Ok this is not working right. I tried to undo this script by running the following

/scripts...

fixmailman
reseteximtodefaults
eximup --force
mailperm


I sent an email from one domain to another local on the server with read receipt / delivery receipt - about 10 times now. Nothing shows up in tail log nor any receipt sent back

Remove the script and run the /scripts/eximup --force

I'm sorry but how do I remove the script?

First - did you follow the instructions in the beginning of this thread where you moved the /usr/sbin/sendmail to /usr/sbin/sendmail.real? Is this a cpanel server?

If the answer is YES, then you should be able to do:
rm /usr/sbin/sendmail* and answer yes when asked to verify the delete.

Then run the /scripts/eximup --force and it will reinstall the original sendmail script.

Hi!

I have been trying to follow this thread and use the following version of the script on one of the servers.


#!/usr/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;

foreach (@ARGV) {
$arg="$arg" . " $_";
}

#$msg=\*STDIN;

open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD $SCRIPT_NAME - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';


open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
print INFO;
}
close (INFO);
close (MAIL);


/usr/sbin/sendmail has sgid set. The file is chowned as root.mailtrap, same as original sendmail file.

The formmail.log file is logging alright however the php scripts on the server aren't able to send any mails out.

Any help on this will be appreciated.

Maybe this might help someone.

http://choon.net/php-mail-header.php

Maybe this might help someone.

http://choon.net/php-mail-header.php

That looks nice. I still would like to get the script working (i.e. if someone got it working)

Did you try root.root? Here is the script I have working on my server. It is almost identical.

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

If PHPSUEXEC is enabled on the machine, is something like this needed still?

xxkylex, as far as I know, no, since the email headers will identify the person and you can increase the exim logging level to get everything else. (assuming a cpanel server, which may be an incorrect assumption).

Generally people persist with running PHP as nobody (ie non-phpsuexec) for a number of reasons:
they don't understand it
they need a huge amount of performance from the server (or think they do; phpsuexec only makes the server slower in very extreme cases)
they don't care
they think it will break user scripts (it won't, with a few strategic chowns beforehand)


On a shared server, in my opinion, no-one in their right mind would not run PHPSUEXEC. The only case where it's not that useful is in the case where the server is under a huge amount of CPU pressure. In that situation, phpsuexec breaks zend optimiziser which would make the system slower.

Did you try root.root? Here is the script I have working on my server. It is almost identical.

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);


Nope this one doesn't work either. I see the message recorded inside formmail.log however the mail never comes up in the exim logs. :(

Nope this one doesn't work either. I see the message recorded inside formmail.log however the mail never comes up in the exim logs. :(
Anand.. did you try the root:root as owner?

I had a similar problem in the past. Can't remember for sure, but I thought it was related to line return in my copied scripts. You might want to check that just in case.

Anand.. did you try the root:root as owner?

I had a similar problem in the past. Can't remember for sure, but I thought it was related to line return in my copied scripts. You might want to check that just in case.

Yes i tried root.root

I already checked up the script line by line, however will do it again today.

Thanks.

Try using exim instead of sendmail. it worked for me.
change my $mailprog = '/usr/sbin/sendmail.real'; to my $mailprog = '/usr/sbin/exim';

Hope it helps

I have this script working now and it seems to be logging things fine. Unfortunately though it found something suspicious within the first few minutes...here is the log entry:

Thu Jul 20 11:05:01 CST 2006 - / - root $1$9iBa0dak$Jb15kYV5/xpRA3vJqBpWp0 0 0 root /root /bin/bash

What the heck is that? I've ran both Rootkit Hunter and Chkrootkit and neither found any problems with being rooted. Any suggestions?

Chad

Maybe this might help someone.


This helped me a lot. And the last update was only a month old. It has example and everything. Good one! THX!

Ya, as long as there is new version release from PHP, choon will patch it as fast as possible.

they think it will break user scripts (it won't, with a few strategic chowns beforehand)

It's always funny to see misinformation spread like this.
phpsuexec WILL break user scripts if

A> The user has php values in .htaccess (fixable, but it requires rewriting the website, designing a custom php.ini or something of the like, which few people will do).

B> The user uses SYMLINKS in their website. Symlinks are broken by phpsuexec (and, presumably suphp, though this has not been confirmed)


On a shared server, in my opinion, no-one in their right mind would not run PHPSUEXEC.

And that's YOUR mind and your opinion, which is wrong.
Security isn't about DISABLING applications or making more work for customers, it's about providing secured environments which your customers can operate in where they don't HAVE to rewrite code, or redesign a website.

There are plenty of better ways to secure php than using phpsuexec, less intrusive, less problematic and less pain.

Now, this doesn't answer the question here, of "how to find nobody spammers". Phpsuexec will do VERY little to do this. Instead, php mail patches will.
One already mentioned is choon's (http://choon.net/php-mail-header.php) mail patch.
Another website with two that I've found is here (http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/).

The difference between the two? The second is recommended simply because it doesn't just IDENTIFY mail scripts which may be invalid, it STOPS implicit senders dead in the tracks. There are two patches to the second one and both work excellently on php4 and php5 (latest versions).

Hi guys!

This script is useful but I need to get the complete address of the directory.

For example, I get this:
Fri Aug 22 16:13:08 EDT 2008 - /var/www/vhosts/recyclagehockey.com/httpdocs/mambo - apache x 48 48 Apache /var/www /sbin/nologin

But I need to get which directory under .../httpdocs/mambo cause there is a lot.

Is there a way to modify it to include full path ?

Thanks
Maxime

Is there a way to modify it to include full path ?

Thanks
Maxime
Use the patches I listed in the last post, they will tell you specifically (in the headers) what script called things.

Use the patches I listed in the last post, they will tell you specifically (in the headers) what script called things.

Hi linux-tech,

Thanks for the link.

But it seems to me that I would have to download php5 sources cause when I try the following:

"patch -p1 < php5-mail-header.patch"

I get:

can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -u php-5.2.3.orig/ext/standard/mail.c php-5.2.3.mod2/ext/standard/mail.c
|--- php-5.2.3.orig/ext/standard/mail.c 2007-03-30 01:28:58.000000000 +0100
|+++ php-5.2.3/ext/standard/mail.c 2007-06-25 10:59:59.955165984 +0100
--------------------------
File to patch:


I use Fedora Core 4 and Plesk 8.
I don't want to scrap my php5 installation.

Could you help me?

Nice work and very useful. Thank you