Results 1 to 16 of 16
  1. #1

    Unhappy find formmail spammer

    Hi,

    I have a red hat server and someone is spamming it using formmail. I am about to get rid of the formmail script and use a secure script, but in the meantime, I wanted to know, if there is a way I can find out which particular formmail is being spammed. All of the user's access_logs are within their directory and I was thinking was there a grep command I can run to search my /home directory and try to use a phrase from the email body that is being sent out. I have this becasue spamcop sent it to me.

    Would this put too much of a load on my server? What is the best way to find out which script is being spammed?

    Any help would be appreciated. Thanks in advance.

  2. #2
    Join Date
    Sep 2000
    Posts
    368
    we had this issue

    try to get a recipient of spam to send you an email they received, open the headers and look


    also login ssh and type locate formmail

    it will show all your users with that script

    contact them and tell em to change the name of the script, set the referrs, or get rid of it..

    lastly visit spamcop.net and see if your listed

  3. #3

    Thanks

    I looked at the header and since it was sent as apache, I could not tell where it was coming from. Yes, I plan to get rid of the script all together, but I want to know if there is some command where I can find which formmail is actually being spammed.

    I have the body of the email, so I have a phrase I can search for.

    Maybe some type of grep command?

  4. #4
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,868
    maybe you can do an egrep on the sendmail logs or your mail servers log, searching for one of the spammed email addresses.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  5. #5
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186
    You could do something like this....

    grep -l "phrase to find" `find /home/*/logs -name access_log`

    you would obviously want to change the parameters to fit your situation.

  6. #6
    Join Date
    Dec 2001
    Location
    Franklin, TN, USA
    Posts
    1,322
    Try to see what the UID of the sender was and match it with someone in /etc/passwd

    do cat /etc/passwd | grep <all uid's found in header> to see if it matches with a particular user.
    Linux Problems Solved. | Built for the Hosting Industry
    Server Management. Node Management. Helpdesk Management.
    ( AcuNett, Est. 15 Years, RateLobby 5 Stars )

  7. #7

    please help

    Hi,

    When I tried to do a grep, it gave me this output:
    [[email protected] /root]# grep "Pattern" /home/*/log -name access_log > results
    grep: invalid max count

    Also where is the UID in the header, I saw:
    XUID: 7552

    but that number was not in my /etc/passwd file.

    Please help?

  8. #8
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186

    Re: please help

    Originally posted by omnistar
    Hi,

    When I tried to do a grep, it gave me this output:
    [[email protected] /root]# grep "Pattern" /home/*/log -name access_log > results
    grep: invalid max count

    Also where is the UID in the header, I saw:
    XUID: 7552

    but that number was not in my /etc/passwd file.

    Please help?
    Was that bold line the actual one you used? It doesn't look anything like the one I suggested.

  9. #9

    thanks

    Hi,

    Thanks for your reply. I had tried your suggestion and I got the same error.

    what about the uid number? where is that at in the header?

    Thanks

  10. #10
    Join Date
    May 2001
    Posts
    59
    Paste this into a text file that you call locatefm.pl and run it
    by typing 'perl locatefm.pl'. This script will locate all files called
    FormMail.* (and formmail.*), then it makes sure that it's from
    Matt's Script Archive and displays a list.

    I have a script that change permissions to 000 automaticly if
    anyone is interested. This script can for instance run daily from
    cron.

    #!/usr/bin/perl

    use strict;

    my @output = qx(locate *orm*ail.*);

    foreach my $file (@output) {
    my $ok = 0;
    chomp $file;
    open(FILE, "< $file") or die;
    while (my $line = <FILE>) {
    if ($line =~ /matt wright/i) {
    $ok = 1;
    last;
    }
    }
    close FILE;
    if ($ok) {
    print "From Matt's: $file\n";
    }
    }
    erik

  11. #11

    Re: thanks

    Originally posted by omnistar
    Hi,

    Thanks for your reply. I had tried your suggestion and I got the same error.

    what about the uid number? where is that at in the header?

    Thanks
    Did you place backticks around the `find ...` command. Try to copy/paste to make sure.

  12. #12
    Join Date
    Sep 2001
    Location
    Netherlands
    Posts
    326
    Originally posted by erik

    I have a script that change permissions to 000 automaticly if
    anyone is interested. This script can for instance run daily from
    cron.
    THis would be very interesting if you're able to specify to only disable scripts from version 1.6 for example. These are extremely vulnarable for spam.
    Can you do this??

  13. #13
    Join Date
    May 2001
    Posts
    59
    I'm sure it can be done just by modifying this script a little bit,
    but I don't have the 1.6 version available so I'm not sure what
    to search for.

    Just modify line 8 and the script will use whatever you replace
    "matt wright" with to determine whether to disable the formmail
    script or not.

    However, I disable later versions also because of several security
    flaws in these too. I ask all users to convert to NMS instead (just like Matt Wright does ;-))

    my @output = qx(locate *orm*ail.*);

    foreach my $file (@output) {
    my $ok = 0;
    chomp $file;
    open(FILE, "< $file") or die;
    while (my $line = <FILE>) {
    if ($line =~ /matt wright/i) {
    $ok = 1;
    last;
    }
    }
    close FILE;
    if ($ok) {
    system("chmod","000","$file");
    print "Disabled: $file\n";
    }
    }
    erik

  14. #14
    Join Date
    Oct 2001
    Location
    san diego
    Posts
    256
    try this:
    cat /var/log/maillog |grep recipient
    this should give you what you are looking for.

  15. #15
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    If you're using suexec, you can just look in your suexec log for a whole bunch of instances of formmail being executed. That'll tell you which account.

    I posted a one line command to find copies of formmail and remove them if they weren't the latest version in this post:

    http://www.webhostingtalk.com/showth...threadid=40126

    It could be modified, since there is a newer version of formmail out.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  16. #16
    This will locate any vulnerable formmail scripts within /home and print to screen.
    find /home \( -iname '*mail.cgi' -o -iname '*mail.pl' \) -type f -print | xargs grep -i 'Version 1.[0-8]'

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •