The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tracking user nobody emails HOW???

Discussion in 'E-mail Discussions' started by Snowman30, Mar 2, 2004.

  1. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    i have one server with a lot of emails going out from user "nobody" according to my relayers list and am thinking there could be an insecure script somewhere.

    Anyway of easily tracking what script these mail messages are coming out from?
     
  2. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    compile apache with phpsuexec

    You already have suexec installed (default with Cpanel)
    Suexec is for tracking Cgi scripts
    Phpsuexec is for tracking Php scripts.

    Martin
     
  3. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    yeah, had planned to introduce phpsuexec...

    just this particular server has a lot of php scripts running on it and im usre a lot of them are not compliant with phpsuexec..

    any other way of doing it?
     
  4. rusko

    rusko Member

    Joined:
    Nov 20, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    phpsuexec has problems, not the least of them compatibility with some apps and performance.

    i have a patch against php 4.3.6 that appends an X-AntiAbusePHP header to each message sent using the php mail() function and lists the path to the script that called mail().

    i won't post it here, search for it on the php-internals mailing list archive. with any luck, it will be accepted into php itself, although that seems unlikely given the egos of php maintainers and their unwillingness to listen to the largest portion of their userbase - hosting companies.

    paul
     
  5. rusko

    rusko Member

    Joined:
    Nov 20, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    there are a few problems with this. first off, you need to touch /var/log/sendmail; chmod a+w /var/log/sendmail; , otherwise the script will not be able to write to it.

    second off, we are *not* talking cgi scripts, we are talking sendmail invoked from mod_php. as such, it does not get the same environment as cgi scripts do (ie SCRIPT_NAME et al). the only thing that is passed down is $PWD, which is the current working directory. this is, obviously, user-supplied. for example, consider this php script:

    PHP:
    <?

    chdir("/tmp");
    mail("moo@moo.com""moo""Line 1\nLine 2\nLine 3");

    ?>
    try it and you will see that the only bit of useful information, which used to be the current working directory, is now showing up as /tmp in the log file.

    trust me, i've looked into this before i went patching php and trying to get the php developers to accept the patch.

    by the way, the patch is as follows:
    ---
    Code:
    diff -ru php-4.3.6/ext/standard/mail.c php-4.3.6.abuse1/ext/standard/mail.c
    --- php-4.3.6/ext/standard/mail.c       2004-01-08 20:35:58.000000000 -0500
    +++ php-4.3.6.abuse1/ext/standard/mail.c        2004-05-30
    08:27:55.000000000 -0400
    @@ -87,6 +87,8 @@
            int to_len, message_len, headers_len;
            int subject_len, extra_cmd_len, i;
            char *to_r, *subject_r;
    +       char *exec_file=NULL;
    +       int abuseh_len=0, got_headers=0;
    
            if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
                    php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE
    Restriction in effect.  The fifth parameter is disabled in SAFE MODE.");
    @@ -103,6 +105,18 @@
                    return;
            }
    
    +       got_headers = headers ? 1 : 0;
    +       exec_file= zend_get_executed_filename(TSRMLS_C);
    +       /* add 2 [strlen("\r\n")] _if_ we are appending to preexisting
    headers */
    +       abuseh_len = (got_headers*2) + strlen(ABUSE_HEADER_TAG) +
    strlen(ABUSE_HEADER_SRC) + strlen(exec_file);
    +       headers = got_headers ? erealloc(headers, headers_len + abuseh_len +
    1) : emalloc(abuseh_len + 1);
    +       if(got_headers) strcat(headers, "\r\n");
    +       strcat(headers, ABUSE_HEADER_TAG);
    +       strcat(headers, ABUSE_HEADER_SRC);
    +       strcat(headers, exec_file);
    +       headers_len += abuseh_len;
    +
    +
            if (to_len > 0) {
                    to_r = estrndup(to, to_len);
                    for (; to_len; to_len--) {
    diff -ru php-4.3.6/ext/standard/php_mail.h
    php-4.3.6.abuse1/ext/standard/php_mail.h
    --- php-4.3.6/ext/standard/php_mail.h   2002-12-31 11:35:33.000000000 -0500
    +++ php-4.3.6.abuse1/ext/standard/php_mail.h    2004-05-30
    08:26:59.000000000 -0400
    @@ -24,6 +24,9 @@
     PHP_FUNCTION(mail);
     PHP_MINFO_FUNCTION(mail);
    
    +#define ABUSE_HEADER_TAG        "X-AntiAbusePHP: Added to track PHP abuse,
    please include with any abuse report\r\n"
    +#define ABUSE_HEADER_SRC        "X-AntiAbusePHP: This message was sent
    through "
    +
     #if HAVE_SENDMAIL
    
     PHP_FUNCTION(ezmlm_hash);
    
    ---

    paul
     
  6. Lem0nHead

    Lem0nHead Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    is there a patch for version 4.3.8?

    thanks
     
  7. Alexandru Ungur

    Joined:
    Aug 31, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Oradea, Romania
    Since when?!?
     
  8. greengiant

    greengiant Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    http://www.webhostgear.com/118.html

     
Loading...

Share This Page