The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hunt Spammers - Find who sent spam by nobody ?!!!

Discussion in 'General Discussion' started by noorolhoda, Jan 9, 2005.

  1. noorolhoda

    noorolhoda Active Member

    Joined:
    Jul 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Hello all
    some days ago I received a notice from may data center.
    some one have been sent lots of spams from one of my servers and the victim reported this to my data center abuse.
    All mail have been sent by user of "nobody" and I could,t trace the user.
    I used some of options in WHM but I could,t find who spaming!
    at last I find http://www.webhostingtalk.com/showthread.php?threadid=258294&highlight=security
    but this code didn,t work for me! :confused:
    I obliged to write my own code!!

    Code:
    #!/usr/bin/php
    <?php
    $get='';
    $in="1";
    $arg='';
    $i=1;
    $j=1;
    error_reporting(0);
    $fp = fopen("php://stdin", "r");
    function readline($fp)
        {
        $in = fgets($fp,1094);             // Maximum windows buffer size  fclose ($
        return $in;
        }
    while(!feof($fp))
        {
        $in=readline($fp);
        $get .=$in;
        }
    while($argv[$i])
            {
            $arg .=' '.$argv[$i];
            $i++;
            }
    ### AntiAbuse
    $chd=$GLOBALS['PWD'];
    $lines=explode("\n",$get);
    $messageid=date(ymdHis);
    $email=$lines[0];
    while (!(eregi("from: ",$lines[$j])) && ($lines[$j]))
            $j++;
    if (eregi("from: ",$lines[$j]))
            {
            if (eregi("[<,>]",$lines[$j]))
            {
            if (eregi("[<,>]",$lines[$j]))
                    {
                    $lines=split("[<,>]",$lines[$j]);
                    $from=$lines[1];
                    }
            else
                    $from=$lines[$j];
            }
    $date=date("Y-m-d");
    $time=date("H:i:s");
    $log="$date - $time - $chd - $email - $from - $messageid \n";
    ### End
    $file=fopen("/home/user/public_html/logs/logs","a");
    fwrite($file,$log);
    fclose($file);
    $fd = popen("/usr/sbin/sendmail.hidden $arg","w");
    fputs($fd,$get);
    pclose($fd);
    ?>
    
    
    after I did below:

    mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
    pico /usr/sbin/sendmail
    copy & past the code and save it
    chmod +x /usr/sbin/sendmail
    mkdir /home/user/public_html/logs
    touch /home/user/public_html/logs/logs
    chmod 777 /home/user/public_html/logs/logs

    after that I could find the spammer very easy , I find more than 1000 records like below: :rolleyes:
    -------------------
    2005-01-09 - 13:36 - /home/[spammer]/public_html/a - To: dk713@gte.net - aw-confirm@ebay.com - 050109133611
    2005-01-09 - 13:36 - /home/[spammer]/public_html/a - To: dante_england@hotmail.com - aw-confirm@ebay.com - 050109133611
    2005-01-09 - 13:36 - /home/[spammer]/public_html/a - To: inma8@hotmail.com - aw-confirm@ebay.com - 050109133611
    ---------------------

    after I use this code the php mail() functions worked but all webmail [Neomail -hord - SquirrelMail ] didn,t work after that.
    as me or any one have the same problem again I need some one improve this code and solve this issue.

    thank you :eek:
     
    #1 noorolhoda, Jan 9, 2005
    Last edited: Jan 10, 2005
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    I want to put this code into my server, but I will wait until you find what is the problem with cPanel Webmails :) Great job!
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    syntax errors

    You have a syntax error just after the readline loop in the code you've posted here, don't know if that is a typo or not, but it would definitely break things. Also, you duplicate your fputs($fd ..) and pclose($fd) at the end of the script which can't help (another typo??).

    You don't check the return values from your system calls, which is a classic newbie mistake and not a mistake you can afford to make when dealing with email. Every single call that writes to a file or sends output must check error status and log any errors, otherwise you're high and dry when something goes wrong -- you simply just can't see what is failing unless you check error codes, it just fails invisibly and silently and you never know anything went wrong - exactly what is happening here.

    You want to check every open, read, write and close, in particular. See the PHP manual online or www.sitepoint.com for lots of examples.

    Cheers, brianoz
     
  4. binumvk

    binumvk Active Member

    Joined:
    Oct 13, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    HEY brainoz if u know the errors , then post this modified script here , it will help lot of peoples
     
    #4 binumvk, Jan 10, 2005
    Last edited: Jan 10, 2005
  5. noorolhoda

    noorolhoda Active Member

    Joined:
    Jul 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Hello brianoz
    if is possible please post modified code.
    also I remove the problem
    when I copy& past it here , it cuased the dublication
    Thanks
     
    #5 noorolhoda, Jan 10, 2005
    Last edited: Jan 10, 2005
  6. binumvk

    binumvk Active Member

    Joined:
    Oct 13, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    This One Is Only For Sendmail Or Is It Possible To Use With Exim.
     
  7. manghooli

    manghooli Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    tanx noorolhoda.
    this script have some errors, ill fix and optimize it and paste it here.
     
  8. noorolhoda

    noorolhoda Active Member

    Joined:
    Jul 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    As I undrestand sendmail is part of Exim.
    when you send a mail from smtp , exim send the email directly and when you use mail function in your scripts , the scripts use sendmail for sending the email.
    but must of spammer use sendmail because sendmail don,t need any authorization and they send emails by "nobody" user!!
    But I, not sure about what I said :p
     
    #8 noorolhoda, Jan 10, 2005
    Last edited: Jan 10, 2005
  9. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    We are all waiting for optimized and fixed version of this script :)
     
  10. manghooli

    manghooli Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    This is the first version :)
    i can't check it.
    as i said in the first lines:
    1- named this file something like "phpsendmail" and put it on the bin directory
    2- change php.ini to use this file as the mail sender (phpsendmail -t -i)

    PHP:
    //named this file something like "phpsendmail" and put it on the bin directory
    // change php.ini to use this file as the mail sender

    #!/usr/bin/php -q
    <?php
    $get
    ='';
    $arg='';
    error_reporting(0);

    $fp fopen("php://stdin""r");
    while(!
    feof($fp)) $get .= fgets($fp,1094);
    fclose($fp);

    for(
    $i=0$i<$argc$i++)   $arg .=' '.$argv[$i];

    ### AntiAbuse
    $file=$_SERVER['SCRIPT_FILENAME'];
    $date=date('Y-m-d-H:i:s');
    $log="$date-$file-$messageid \n";

    ### End
    $fp=fopen('/var/log/logfile','a');    //TODO: this file should be an XML file, we need ONLY one line for each user. we don't need ALL email information
    fwrite($fp,$log);
    fclose($fp);
    $fp popen("/usr/sbin/sendmail $arg",'w');
    fputs($fp,$get);
    pclose($fp);
    ?>
    i try to make it smaller and faster, that regexps are useless.

    take care, you have TWO php compiler in your linux server with WHM, you must change your users php.ini :) you can find it somewhere like /usr/local/Zend/etc/php.ini OR /usr/local/etc/php.ini OR ...

    please check it and tell me the result.
     
    #10 manghooli, Jan 10, 2005
    Last edited: Jan 10, 2005
  11. manghooli

    manghooli Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    any idea, any suggestion, any tester ideas??
     
  12. juba

    juba Active Member

    Joined:
    Mar 4, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    any answeres? Would be a usefull tool :)
     
  13. binumvk

    binumvk Active Member

    Joined:
    Oct 13, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6

    HOW SENDMAIL IS PART OF EXIM BOTH ARE DIFFERENT MAIL SERVER SOFTWARES !!!!
    :cool: :cool:
     
  14. alexisb

    alexisb Active Member

    Joined:
    May 25, 2003
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Not Working For Me

    Hello, I tried the last version of this script and it's not working for me, somebody is spamming from one of our domains and the emails are being sent from root@our-domain.com , I created the phpsendmail file, copy and pasted the code, modified php.ini and restarted Apache but when I do:

    cat /var/log/logfile

    I don't get anything, even when I used touch and chmod 777 to create the file.

    But I still seening the spam being sent from my mail logs.

    Any help?

    Thanks.
     
  15. manghooli

    manghooli Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    PHP:
    #!/usr/bin/php -q
    <?php
    $get
    ='';
    $arg='';
    error_reporting(0);

    $fp fopen("php://stdin""r");
    while(!
    feof($fp)) $get .= fgets($fp,1094);
    fclose($fp);

    for(
    $i=0$i<$argc$i++)   $arg .=' '.$argv[$i];

    ### AntiAbuse
    $log=date('Y-m-d-H:i:s-').$_SERVER['SCRIPT_FILENAME']."\n";

    ### End
    $fp=fopen('/var/log/logfile','a');
    fwrite($fp,$log);
    fclose($fp);
    $fp popen("/usr/sbin/sendmail $arg",'w');
    fputs($fp,$get);
    pclose($fp);
    ?> 
    this code has some changes.
    please do these steps too:

    chmod +x /usr/sbin/phpsendmail
    touch /var/log/logfile
    chmod 777 /var/log/logfile

    take care of your php.ini file:
    check disable_functions (specially popen and pclose funstions SHOULD NOT be there!!)
    check safe_mode
    check sendmail parameters

    have fun ;)
     
  16. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Sendmail (the MTA - http://sendmail.org/ ) is not a part of Exim... though they both do essentially the same thing in different ways. Cpanel servers do not use Sendmail.

    /usr/sbin/sendmail is usually just a symbolic link to the mailserver binary, in this case exim. Sendmail does the same thing. It seems to be a roughly standard way of sending mail on the commandline from scripts, so you don't have to use smtp. But don't confuse it for Sendmail.

    If you need to track spammers sending mail through insecure scripts/ or spamming customers, then search for 'extended exim logging', and implement it, it's quite easy. It will give you a lot more log information, and will even show you the location of the script that sent the mail.
     
  17. noorolhoda

    noorolhoda Active Member

    Joined:
    Jul 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
  18. alexisb

    alexisb Active Member

    Joined:
    May 25, 2003
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Problem Solved

    Hi, I was able to find the problem of spam from our server by using the log created with the Perl script as showcased in WHT.

    It was from some PHP Nuke installations, versions 6.9 and 7.0, using WebMail module, which is known to have security problems and was discontinued.

    Then I contacted SpamCop to delist our IP but I think it wasn't needed because their system delisted us automatically after a number of hours.

    I also notified The Planet about our solution and everything is back in order with our services now.

    I posted my comments about The Planet in the other thread, I am very happy with their services.

    Regards.
     
  19. noorolhoda

    noorolhoda Active Member

    Joined:
    Jul 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    our service termination was not relate to spamming
    see below:
    ---------------------------------------------
    Ticket Number: 535823PLNT
    Ticket Type: Technical Support
    Status: CLOSED
    Opened By: Tech Support
    Summary: Phishing spam from 67.18.170.226
    Last Updated: 01/11/2005 01:01:56
    Details: We have recieved reports of phishing spam originating from this server. Please investigate, address the issue, and update this ticket with your action(s).

    Due to the nature of this issue, failure to resolve the issue and update this ticket within 48 hours may result in service interruption for the server.

    Please refer to the attached report for details.
    --------------------------------------
    (c19559noor-01/05/05-23:40):Hello
    sorry for this
    I,m going to investigatin
    thanks
    --------------------------------------
    (c19559noor-01/05/05-23:54):I enabled suExec and disabled nobody user.
    Also I Active this on WHM:
    ----------------------------
    Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
    ----------------------------
    I will be happy if you assist me on this issue and if I should do eny thing else.
    thank you
    --------------------------------------
    (c19559noor-01/06/05-10:21):How Can I trace thisemail and find the spamer user?





    (fcastle-01/06/05-12:01):
    Thankyou for your response to this issue.

    It seems this spam is originating from the Nobody user, which is the user Apache sends mail through. This indicates an insecure script (PHP, CGI or the like) that is causing this issue.

    Please have a look at http://www.webhostingtalk.com/showthread.php?threadid=258294&highlight=security for more information on finding the root of the issue.

    Further reports have been attached below for your review.
    --------------------------------------
    (c19559noor-01/09/05-09:11):I can find who sent the spam ;)
    for more information please see :
    http://forums.cpanel.net/showthread.php?t=34195

    thanks for your patient

    --------------------------------------
    (c19559noor-01/09/05-09:11):I could find who sent the spam ;)
    for more information please see :
    http://forums.cpanel.net/showthread.php?t=34195

    thanks for your patient



    Resolution:
    ------------------------------------------
    (fcastle-01/11/05-01:00):
    Thank you for your response on this issue. We have not recieved any further complaints while monitoring, so I'm going to close this ticket. Have a great week!

    Attached Files: report.txt 5.084 kB 2005-01-05 13:51
    report2.txt 7.916 kB 2005-01-06 12:02
     
  20. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    *sigh*
    Please keep your posts on this topic limited to your own threads... it's starting to get annoying seeing your TP/SM bashing posts all over the place.

    Anyways, while I think they probably should have told you the reason for your termination, it seems that their TOS doesn't require that and they may also be forced by outside influences (the government) to limit their discussion of the issue. But whatever it is, it's over and done with, so just get over it. Obviously TP/SM is not the provider for you... take your business to one of the numerous other providers around - if they'll have you. SM works well for me though. YMMV
     

Share This Page