Start a conversation

How to stop PHP nobody spammers ?

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks inform mail scripts and malicious users to spam from your server without you knowing who or where.

Here I am going to tell you some easy step to trace nobody spammer.

Step 1
Login to your server and su - to root.
Step 2
Turn off exim while we do this so it doesn't freak out.

/etc/init.d/exim stop

Step 3
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.

mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4
Create the spam monitoring script for the new sendmail. pico /usr/sbin/sendmail Paste in the following:

#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {
print INFO "$date - $PWD - @infon";
}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5
Change the new sendmail permissions

chmod +x /usr/sbin/sendmail

Step 6
Create a new log file to keep a history of all mail going out of the server using web scripts

touch /var/log/spam_log chmod 0777 /var/log/spam_log

Step 7
Start Exim up again.

/etc/init.d/exim start

Step 8
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.

tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99Nobody / /sbin/nologin

Now here you can see in above sample log that ” NOBODY IS SOMEBODY”.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Eicra.com

  2. Posted
  3. Updated

Comments