December 18, 2009

Track nobody mails

How do I track down the source of a script or user abusing a mail script to spam from a server as "nobody"?

mv /usr/sbin/sendmail /usr/sbin/sendmail.real


Create a new /usr/sbin/sendmail file with your favorite editor containing the following:


#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);




Then run these commands:

chmod +x /usr/sbin/sendmail
touch /var/log/formmail.log
chmod 666 /var/log/formmail.log

This will now log the directory the script ran from (if its from php) and the user information. The log file is globally writable so this script should not be used for long periods of time and only while you can monitor the log file. Save the new sendmail script to another file name when you are done and rename the original sendmail binary.

mv /usr/sbin/sendmail /usr/sbin/sendmail.spam.check
mv /usr/sbin/sendmail.real /usr/sbin/sendmail
-----------------------------------------------
Help from theplanet

Please note that a majority of phishing spam is attributable to the 'nobody' user - this is the user that Apache sends mail from. More information on identifying the scripts responsible can be found at:

http://support.theplanet.com/knowledgebase/users/kb.php?id=10224&category_id=10&sid2=
and
http://www.webhostgear.com/118_print.html

No comments:

Post a Comment