Re: How to determine which PHP-script allows spamming?

I'm a bit new to this game, but I think this might be useful:

Are you sure that the spam is being sent through your mailserver? (Couldn't the spam script just directly connect to the recipent's mail server?)

And if you think the spam is going through your server:

PHP's documentation on "mail()" states that it executes the sendmail cmd from the shell to send mail. If you are executing php scripts as a CGI [on linux], then you could write a tiny wrapper to replace the sendmail executable with a script that does a little logging before calling the real one. Use something like the "getppid" function to get the parent process ID {parent == the php-cgi executable} and then you can log the contents of various things in "/proc/{$PID}/" to a file:

Here is a short example that writes a few juicy tidbits to a file in /tmp:

$fd = fopen("/tmp/mail.txt","a");
$parent_pid = posix_getppid();
$parent_exe = readlink( "/proc/${parent_pid}/exe" );
$parent_cmd = join("\t",explode(chr(0),file_get_contents("/proc/${parent_pid}/cmdline")));
$parent_dir = readlink( "/proc/${parent_pid}/cwd" );

fwrite($fd, "Parent executable file is [${parent_exe}]\n");
fwrite($fd, "Parent cmdline was [${parent_cmd}]\n");
fwrite($fd, "Parent work dir was [${parent_dir}]\n\n");

Something like this with a bit of extra logging for the current command-line arguments (e.g. the ones intended for sendmail), might help you find which script is sending which emails)


On Fri, 24 Feb 2006, Rainer Duffner wrote:


I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).

The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful.
I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.

What options do I have?
Can Snort detect this?

(The webserver uses qmail as MTA)


Relevant Pages

  • Re: ANTISPAM: How Execute a command when an email arrives?
    ... I need help from experts in sendmail. ... fight againts SPAM: ... Reject the email (after execute script ... reject) the IP and protect the server instantaneously of later spam ...
  • Re: only use Sendmail with formmail
    ... I reconfigured my script which im ... But as soon as i turned sendmail back on it started sending out spam ... I figured out it was coming from some queue. ...
  • Re: John Resig Video
    ... that it should only be used on script resources where it ... That fulfills the "doesn't matter when it executes" statement. ... And in environments were defer is not implemented that same script is going to processed inline and so be executed before the DOM is complete, which could still happen even if defer is implemented as "can continue ...
  • Re: Form Security
    ... After all this, if no error message has been generated, the form contents are emailed to me. ... I'm no Linux guru, so I don't know what someone could do to cause problems with this script, other than spam me. ... What he's proposing is false security - which is worse than no security ...
  • Spam stopper. (Was Re: "ABC Consumer Reports" doesnt recommend Linux)
    ... I just had a look at your spam stopping script, which is a little bit like ... Please don't send me html mail or un-notified attachments. ...