Got someone using a php script to send a flood of email to someone.

Here's all I can get from maillog:


Aug 8 00:58:57 www6 qmail: 1028786337.575722 info msg 1624261: bytes 3783 from <anonymous@www6.dixiesys.com> qp 30306 uid 48
Aug 8 01:00:49 www6 qmail: 1028786449.068190 starting delivery 30663: msg 1624261 to remote kctomahork@yahoo.com
Aug 8 01:13:49 www6 qmail: 1028787229.404824 starting delivery 34236: msg 1624261 to remote kctomahork@yahoo.com
Aug 8 01:40:36 www6 qmail: 1028788836.720326 starting delivery 36538: msg 1624261 to remote kctomahork@yahoo.com
Aug 8 02:21:03 www6 qmail: 1028791263.975010 starting delivery 38914: msg 1624261 to remote kctomahork@yahoo.com
Aug 8 02:21:04 www6 qmail: 1028791264.988152 end msg 1624261


UID 48 is apache, which means a PHP script since CGI runs as the user (Redhat 7.2 and Plesk 2.x).

A search for kctomahork in all of the access_logs was fruitless, doing a search of all files in /vhosts/blah/httpdocs right now to see if maybe the email is hardcoded into the PHP script.

ANY other ideas? I'd like to find this little bastard so I can nuke the account appropriately.

Try these and see if it gets you anywhere.

grep -l "phrase to find" `find /home/*/logs -name access_log`



Or try match UID of the sender with someone in /etc/passwd

do cat /etc/passwd | grep <all uid's found in header> to see if it matches with a particular user.

He isn't flooding IMO, flooding is for example 100 mails at the same time to the same account. He sents his mails with at least 15-20 minutes pause. So that isn't flooding,


Or am I missing something?

I call over 2416 emails to the same account in the space of a few hours "flooding". Especially since the body is "hehehehehehehe" only about 100 times that long (single line) and the subject is just a number andthe from is a number@number.com

No matter what it is it's grounds for termination.

sounds like you need to do a search in your customers account, do a recurrsive grep for anyscript accessing your sendmail binary, something like grep -r sendmail /home/* Also, if you catch him in the act you can do a ps-ax and look for the process ID of the script, then goto the /proc directory and look at the environment file and see what directory the script is being called from

Thanks doing that now, the /proc info that's something I wasn't familiar with but now that I look, that could be handy for all sorts of things I see :)

its nice to write a program to moniter the process lists for any programs using the sendmail binary and record the /proc environment variables, often the processes last only a few seconds which is not long enough to get the PID # and explore the processes proc directory

the fact that this is a PHP script is killing my searches, apparently it's a POST function so the arguments (subject etc) are NOT in the logs, and because it's PHP in Apache it's not shelling to a script but running straight thru apache.

I've done a search for any php file with sendmail or mail in it but god that's too many.

He just send 11000 emails to another account.

Have a way to view bw usage per site? Any of them stick out like a sore thumb? How about watching the maillog and then comparing one of the runs with the last update of the logs for domains (i.e., pick out the most recently updated and see if the logs show any POSTing). That can be kind of tedious, but we've had to do it in the past to track down someone.

it uses no bandwidth to creat the emails, once the email is created it belongs to apache.

So here's how I found him:

cat */logs/access_log | grep 08/Aug/2002 | grep php > phptoday.txt

then "grep bomb phptoday.txt" yes they were silly enough to name it "bomber.htm" and "bomber.php".

Tarring up the site now and deleting it.

You know what's funny, I was looking for a solution to the PHP/SPAM nobody apache user problem (or a way to track it) today, just incase. You never know.

Anyway, this won’t help you since you use qmail (but it may help others that use sendmail). If you modify the sendmail_path value from “/usr/sbin/sendmail -t –i” to “/usr/sbin/sendmail -t –i –L DOMAIN” for each virtual host it’ll replace the sendmail part in the maillog with the actual domain, so it’s a easy pick for the admin when dealing with SPAM.

Example:

Aug 8 14:21:25 www6 blahblah.com[26089]: rather then..

Aug 8 14:21:25 www6 sendmail[26089]:

Here is a sample apache config…

<VirtualHost blahblah.com>
DocumentRoot /customers/blahblah.com
ServerName blahblah.com
ScriptAlias /cgi-bin/ /customers/blahblah.com/cgi-bin/
php_admin_value safe_mode 1
php_admin_value open_basedir /customers/blahblah.com/
php_admin_value sendmail_path ‘usr/sbin/sendmail -t -i -L blahblah.com’
</VirtualHost>

Back that up with suexec (for CGI), and you can track almost every piece of mail going out.

HTH

supposedly qmail's sendmail thingie is supposed to take all arguments, might try it :)

Oh, I understand that once the mail is created, it belong to another system user. But looking for odd POSTs can be helpful if there's only a handful of domain logs consistently getting larger at the same time the mail is streaming out. On exim systems, that's been a real saver, as we've tracked down over a dozen lusers that way, on our systems and others.

But glad you found him. I was going to recommend looking for anything called mailer, mail, flood, etc. These guys aren't really that bright. Lucky us. :D

Yeah too bad he wasn't dumb enough to use GET rather than POST woulda found him last night before the other 12K messages were sent.

He only had to access the url about a dozen times, total. So on a full server of some sites doing a gig'o traffic a day, it took a LONG time to parse the logs, wish I'da remembered I'm dealing with script kiddies, not a worthy adversary here.

I think I'd rather deal with punks like that, really. You get to crush them like the ants they are! BWA-HA-HA-HA-HA

Ahem. Pardon me. :D

Hell hath no fury like a host scorned. :angry:

Nice detective work.

The funniest one is when a kid used a bug in newspro and we were on the phone with his MOTHER within 15 minutes.

httpd fullstatus | grep POST

that can reveal the scripts some times :)

Originally posted by Dixiesys
The funniest one is when a kid used a bug in newspro and we were on the phone with his MOTHER within 15 minutes.

His MOM? Geez, talk about playing hardball.

:laugh:

He's lucky it was the web designer who called and not me. I was gonna tell her how an invoice for $300 was coming to her for our time and if she chose not to pay it we'd just file it in small claims after contacting the authorities about her son's activities possibly landing him in a detention school. Yeah I know, loada bull but she'da probably bought enough of it to at least give the little punk a good talkin to.

nice stories guys :stickout