The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tracing what script is calling home

Discussion in 'General Discussion' started by InternetPEI, Apr 1, 2006.

  1. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    user nobody sends out about 100+ emails to one certain address every so often, I am curious what script is doing this, its sending the messages about 1 every second usually around 2am or so..

    Anyway to trace what script the client is using that is doing this? (and to prevent it from sending so many?)

    Thanks
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Enabling phpsuexec makes php scripts run as the account user instead of the nobody user.

    Mail then sent by php scripts will be sent from user@hostname instead of nobody@hostname. This in itself will give you a good idea as to which account is responsible for sending the messages.

    You can then also check /usr/local/apache/logs/suexec_log - this will list all php requests (if phpsuexec is enabled), showing you the time, user and script. Running the command tail /usr/local/apache/logs/suexec_log will give you something like:

    Code:
    [2006-04-02 09:32:29]: info: (target/actual) uid: (user1/user1) gid: (user1/user1) cmd: viewtopic.php
    [2006-04-02 09:34:21]: info: (target/actual) uid: (user2/user2) gid: (user2/user2) cmd: index.php
    [2006-04-02 09:34:56]: info: (target/actual) uid: (user1/user1) gid: (user1/user1) cmd: index.php
    If this always seems to happen at the same time of day, you might want to check /var/spool/cron and see if any user has a cron job set for around the time the mail is sent.
     
  3. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the info :)

    I am hoping to trace it without enabling phpsuexec

    I will check crons though.
     
  4. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    You can try this:

    change nobody@ origin of messages sent by php scripts?


    In the top box of the Advanced Exim Configuration Editor, add these lines:


    untrusted_set_sender = *
    local_from_check = false
    local_sender_retain = true



    Then in the box underneath "REWRITE CONFIGURATION", add this line:



    nobody@lsearch;/etc/localdomains "${if !eq {$header_From:}{}{$header_sender:$header_From:}fail}" Fs

    (There is a thread in the forum about this - please read it.)


    2. use the grep command grep " " /var/log/exim_mainlog

    3. While you are at it; I recommend this http://www.configserver.com/free/eximdeny.html

    4. You can also try this (http://www.webhostgear.com/232.html)
     
  5. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I have seen a thread on the forums that discusses how to set the php sender as user@hostname instead of nobody@hostname, but I'm not sure where it is! It does exist and if you're especially patient I'm sure you'll find it. The fact that the word 'nobody' is not included in searches at the moment won't help though!

    Is there any reason why you don't want to enable phpsuexec?
     
  6. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the info :)

    I have some scripts that I use myself that I was told wouldnt work with phpsuexec enabled?
     
  7. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    I have a temporary tweak for this... and we have found the bad guy sending mails with nobody almost on all the servers, here is what you need to do :

    Goto WHM >> TWEAK SETTINGS and set "The maximum each domain can send out per hour (0 is unlimited):" to something like 80 or 100, in the mail section.

    and tail -f /var/log/exim_log | grep perl and that will show an error for a domain that has sent 100 mails in less than 1 hour and still sending.
    As you say he is sending mails every 1-2 secs you will catch him in about 3 mins or so.

    This really works for me.
     
  8. InternetPEI

    InternetPEI Well-Known Member

    Joined:
    May 26, 2003
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page