Results 1 to 2 of 2

Thread: Stop PHP nobody Spammers

  1. #1
    mega's Avatar
    mega is offline Newbie Net Builder
    Join Date
    May 2009
    Location
    Hell , Wanna Come ??
    Posts
    62
    Thanks
    0
    Thanked 10 Times in 4 Posts

    Red face

    PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

    Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

    If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)

    Requirements:
    We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

    Time:
    10 Minutes, Root access required.

    Step 1)
    Login to your server and su - to root.

    Step 2)
    Turn off exim while we do this so it doesn't freak out.
    /etc/init.d/exim stop

    Step 3)
    Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
    mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

    Step 4)
    Create the spam monitoring script for the new sendmail.
    pico /usr/sbin/sendmail

    Paste in the following:


    #!/usr/local/bin/perl

    # use strict;
    use Env;
    my $date = `date`;
    chomp $date;
    open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
    my $uid = $>;
    my @info = getpwuid($uid);
    if($REMOTE_ADDR) {
    print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
    }
    else {

    print INFO "$date - $PWD - @infon";

    }
    my $mailprog = '/usr/sbin/sendmail.hidden';
    foreach (@ARGV) {
    $arg="$arg" . " $_";
    }

    open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
    while (<STDIN> ) {
    print MAIL;
    }
    close (INFO);
    close (MAIL);


    Step 5)
    Change the new sendmail permissions
    chmod +x /usr/sbin/sendmail

    Step 6)
    Create a new log file to keep a history of all mail going out of the server using web scripts
    touch /var/log/spam_log

    chmod 0777 /var/log/spam_log

    Step 7)
    Start Exim up again.
    /etc/init.d/exim start

    Step 8)
    Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
    tail - f /var/log/spam_log

    Sample Log Output

    Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin

    Log Rotation Details
    Your spam_log file isn&#39;t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

    pico /etc/logrotate.conf

    FIN
    # no packages own wtmp -- we&#39;ll rotate them here
    /var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
    }

    ADD BELOW:

    # SPAM LOG rotation
    /var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
    }



    Notes:
    You may also want to chattr + i /usr/sbin/sendmail so it doesn&#39;t get overwritten.

    Enjoy knowing you can see nobody is actually somebody =)
    Never argue with an idiot; First he takes you down to his level and then he beats you with experience.

  2. #2
    Eyes's Avatar
    Eyes is offline Newbie Net Builder
    Join Date
    May 2009
    Location
    In a Party
    Posts
    83
    Thanks
    0
    Thanked 1 Time in 1 Post
    brilliant devil

Similar Threads

  1. Arg Spammers!
    By codename_B in forum Web Proxies
    Replies: 4
    Last Post: 17 January, 2011, 19:28 PM
  2. [Suggestion] Spammers
    By Hellas in forum Announcements and Suggestions
    Replies: 13
    Last Post: 21 July, 2010, 10:24 AM
  3. Spammers
    By imported_Daniel in forum Community Building
    Replies: 2
    Last Post: 23 June, 2010, 05:40 AM
  4. How to Stop Spammers?
    By Ascendancy in forum Managing
    Replies: 10
    Last Post: 16 January, 2010, 02:26 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •