Sponsored Links

MattF · #1 04-09-2004, 06:55 AM

Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.

mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail

Code:

#!/usr/local/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 }
 else {

        print INFO "$date - $PWD -  @info\n";

 }
 my $mailprog = '/usr/sbin/sendmail.real';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL);

null · #2 04-09-2004, 10:39 AM

Great How-to Matt!

hostbox · #3 04-09-2004, 04:22 PM

Cpanel uses Exim not Sendmail would still work?

MattF · #4 04-12-2004, 10:01 AM

Yes, this is intended for cPanel, one quick correction:

mv /usr/sbin/sendmail /usr/sbin/sendmail2

Should be:

mv /usr/sbin/sendmail /usr/sbin/sendmail.real

I'd also just like to reiterate I'm not the author of the script, I merely tweaked it so I could catch PHP nobody senders.

jasonl813 · #5 04-20-2004, 07:51 PM

Quote:

Originally posted by MattF
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
chmod 777 /var/log/formail

Needs to be:

pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail
chmod 777 /var/log/formmail

jasonl813 · #6 04-20-2004, 07:54 PM

Should it also be formmail.log instead of just formmail? Nothing is being posted in the formmail file.

jasonl813 · #7 04-20-2004, 08:00 PM

Quote:

Originally posted by MattF
echo > /var/log/formmail
chmod 777 /var/log/formail

I was able to get it to work by changing it to

echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log

Pretty nifty!

AlexV · #8 06-08-2004, 12:37 AM

Just what I've been looking for, thanks!

(Working on a Plesk server to monitor Perl, mostly)

PhilG · #9 06-19-2004, 01:09 AM

Nice howto.

eth00 · #10 06-19-2004, 01:52 AM

Good idea! thanks

PhilG · #11 06-19-2004, 03:16 AM

Come to think of it. Will this script break MailScanner or CGI files that use sendmail?

kris1351 · #12 06-19-2004, 08:17 AM

I am having an issue with putting this in. We have used MailMon for ages, but it adds load.

R=sa_localuser T=local_sa_delivery: Child process of local_sa_delivery transport returned 127 (could mean unable to exec or command does not exist) from command: /usr/sbin/sendmail

Zenutech · #13 07-03-2004, 10:49 PM

Why chmod 777? Couldn't you chmod 700 for better security?

dqh · #14 07-07-2004, 12:47 PM

and exim mail server?

naguib2000 · #15 07-13-2004, 08:48 AM

looks like its is usefull , may i ask what is <STDIN> ???

Sponsored Links

Advertise Here