J
JohnB@
Guest
HOW-TO: finding "Nobody" spammer
==============================
Below is a small script that can be installed in one minute (!) and that I found on the WebHostingTalk forrums:
http://www.webhostingtalk.com/showthread.php?threadid=258294
I corrected several small typos and am re-posting it here. It works on both cPanel and Plesk servers.
At the end of this posting I have some questions one of you might be able to answer.
The script will create a log file to see all activity coming from 'sendmail'. sendmail is being used by PHP spammer scripts. For example, I had spammers on our servers uploading their spammer scripts + database into the /tmp and /dev/shm directories, and this script showed me this ... or showed me the domain of the spammer if he had it in his own domain. The script exchanges sendmail with the script below, so the spammer (and any other form on your server using sendmail) is calling this script instead, which is then logging the user info into a log file before calling the now renamed sendmail. We can now consult that log file for suspicious activity -- namely tons of mails send by "Nobody".
After installation check /var/log/formmail.log to find spammer activity.
Installation:
mv /usr/sbin/sendmail /usr/sbin/sendmail.act
(==>NOTE: Watch out .. if you, by mistake, repeat this install you will overwrite your real sendmail file ... better you make yet another copy with "cp" under another name.)
pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log
------------------------------------------------------------------------
#!/usr/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {
print INFO "$date - $PWD - @info\n";
}
my $mailprog = '/usr/sbin/sendmail.act';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
------------------------------------------------------------------------
Now my questions:
(1) If some spammer has uploaded spam scripts into
/tmp, /var/tmp, or /dev/shm
how do I find this guy ... say I see the names of these scripts (before I delete them) ... what other logs can I consult to hopefully find the guy who uploaded them, and what to look for?
(2) What happens if the formmail logfile at /var/log/formmail.log grows real big? I see that other log files at /var/log/ get auto-deleted (after there are 4 of them) and then a new one is auto-created. Is Linux doing this with all files in this folder, or do I need to run some sort of script to do this? (delete and recreate empty file)
Thanks!
John
==============================
Below is a small script that can be installed in one minute (!) and that I found on the WebHostingTalk forrums:
http://www.webhostingtalk.com/showthread.php?threadid=258294
I corrected several small typos and am re-posting it here. It works on both cPanel and Plesk servers.
At the end of this posting I have some questions one of you might be able to answer.
The script will create a log file to see all activity coming from 'sendmail'. sendmail is being used by PHP spammer scripts. For example, I had spammers on our servers uploading their spammer scripts + database into the /tmp and /dev/shm directories, and this script showed me this ... or showed me the domain of the spammer if he had it in his own domain. The script exchanges sendmail with the script below, so the spammer (and any other form on your server using sendmail) is calling this script instead, which is then logging the user info into a log file before calling the now renamed sendmail. We can now consult that log file for suspicious activity -- namely tons of mails send by "Nobody".
After installation check /var/log/formmail.log to find spammer activity.
Installation:
mv /usr/sbin/sendmail /usr/sbin/sendmail.act
(==>NOTE: Watch out .. if you, by mistake, repeat this install you will overwrite your real sendmail file ... better you make yet another copy with "cp" under another name.)
pico /usr/sbin/sendmail (paste the below code into it)
chmod +x /usr/sbin/sendmail
echo > /var/log/formmail.log
chmod 777 /var/log/formmail.log
------------------------------------------------------------------------
#!/usr/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {
print INFO "$date - $PWD - @info\n";
}
my $mailprog = '/usr/sbin/sendmail.act';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
------------------------------------------------------------------------
Now my questions:
(1) If some spammer has uploaded spam scripts into
/tmp, /var/tmp, or /dev/shm
how do I find this guy ... say I see the names of these scripts (before I delete them) ... what other logs can I consult to hopefully find the guy who uploaded them, and what to look for?
(2) What happens if the formmail logfile at /var/log/formmail.log grows real big? I see that other log files at /var/log/ get auto-deleted (after there are 4 of them) and then a new one is auto-created. Is Linux doing this with all files in this folder, or do I need to run some sort of script to do this? (delete and recreate empty file)
Thanks!
John