hoder.org

Stop PHP nobody Spammers
http://www.webhostgear.com/232.html
Update: May 25, 2005:
- Added Logrotation details
- Added Sample Log Output

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su - to root.

Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden 

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO “$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
 }
 else {

        print INFO “$date - $PWD -  @infon”;

 }
 my $mailprog = ‘/usr/sbin/sendmail.hidden’;
 foreach  (@ARGV) {
         $arg=”$arg” . ” $_”;
 }

 open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL); 

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_logchmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start 

Step
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log 

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory -  nobody x 99 99   Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.

Main >> DNS Functions >> Edit MX Entry
/var/spool/exim/msglog/6

Current MX Entries
Domain   MX Entry Always Accept
hobid.com  0 hobid.com Delete
20 alt1.aspmx.l.google.com Delete
No Set To Yes
Main >> Service Configuration >> Exim Configuration Editor

Exim Configuration Editor
Configuration file passes test!  New configuration file was installed.
Enabled system filter options: attachments|fail_spam_score_over_200|spam_rewrite
Enabled ACL options in block ACL_RATELIMIT_BLOCK: 0tracksenders
Enabled ACL options in block ACL_RATELIMIT_SPAM_BLOCK: ratelimit_spam_score_over_200
Enabled ACL options in block ACL_RBL_BLOCK:
Enabled ACL options in block ACL_PRE_RECP_VERIFY_BLOCK: dictionary_attack
Enabled ACL options in block ACL_NOTQUIT_BLOCK: ratelimit
Enabled ACL options in block ACL_TRUSTEDLIST_BLOCK:
Enabled ACL options in block ACL_CONNECT_BLOCK: ratelimit|spammerlist
Enabled ACL options in block ACL_SPAM_BLOCK: deny_spam_score_over_200
Detected spam handling in acls, disabling spamassassin in routers & transports!.
SpamAssassin method remains unchanged
Configured options list is:
Provided options list is: hostlist senderverifybypass_hosts|hostlist skipsmtpcheck_hosts|hostlist spammeripblocks|hostlist backupmx_hosts|hostlist trustedmailhosts|domainlist user_domains|smtp_receive_timeout|ignore_bounce_errors_after|timeout_frozen_after|auto_thaw|callout_domain_negative_expire|callout_negative_expire|acl_smtp_connect|acl_smtp_notquit|spamd_address
Exim Insert Regex is: virtual_userdelivery|virtual_aliases|lookuphost|virtual_user|address_pipe|localuser
Exim Replace Regex is: virtual_sa_user|sa_localuser|virtual_sa_userdelivery|local_sa_delivery|central_filter|central_user_filter|democheck|fail_remote_domains|has_alias_but_no_mailbox_discarded_to_prevent_loop|literal|local_delivery|local_delivery_spam|localuser|localuser_spam|lookuphost|remote_smtp|userforward|virtual_aliases|virtual_aliases_nostar|virtual_user|virtual_user_spam|virtual_userdelivery|virtual_userdelivery_spam
Exim Match Insert Regex is: quota_directory|maildir_format
Exim version 4.69 #0 (FreeBSD 6.2) built 04-Jun-2008 21:38:13
Copyright (c) University of Cambridge 2006
Probably Berkeley DB version 1.8x (native mode)
Support for: crypteq iconv() IPv6 use_setclassresources PAM Perl Expand_dlfunc OpenSSL Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Exim Perl Load List is: spam_acl_support|checkuserquota|boxtrapper|safefile|fast_checkvalias|checkspam|checkspam2|fast_isdemo|fast_accountfunc|checkpass_cphulkd
/etc/exim.pl.local installed!
razor2 is not installed, disabling it in SpamAssassin to save memory
pyzor is not installed, disabling it in SpamAssassin to save memory
SPF is disabled in exim or unavailable, enabling SPF for SpamAssassin

Attempting to restart exim
Waiting for exim to restart…. . . . . . . . . . . finished.

exim statusmailnull 26474  0.0  0.1 15896  3484  ??  Ss    3:15PM   0:00.00 /usr/local/sbin/exim -bd -q30m (exim-4.69-0)
mailnull 26477  0.0  0.1 15896  3448  ??  Ss    3:15PM   0:00.00 /usr/local/sbin/exim -tls-on-connect -bd -oX 465 (exim-4.69-0)

exim started ok
Your configuration changes have been saved!

Main >> Hostname A Entry Missing!

Hostname A Entry Missing!
The server was unable to lookup an an A entry for its hostname (newinst.layeredtech.com). This is generally because the entry was never added. However this could also be the result of your nameserver(s) being down. If you would like to attempt to automatically add the entry, .

Main >> Software >> Update Server Software

Update Server Software
cPanel Package Upgrades in Progress…
Ftp Setup Script Version 6.1
This is the pure-ftpd installer
Searching ports for pure-ftpd ……………………………….found pure-ftpd in /usr/ports/ftp/pure-ftpd….Done
pure-ftpd (1.0.21-2) is already installed.
MySQL Setup Script Version 7.0
This is the MySQL installer for OS FreeBSD
Searching ports for mysql50-client ………………………..found mysql50-client in /usr/ports/databases/mysql50-client….Done
mysql50-client (5.0.51a) is already installed.
Searching ports for mysql50-server ………………………..found mysql50-server in /usr/ports/databases/mysql50-server….Done
mysql50-server (5.0.51a) is already installed.
Install Complete
bandmin Setup Script Version 1.0
courier-imap Setup Script Version 1.0
This is the courier-imap installer for OS FreeBSD
Source: packages-6.2-release
looking up ftp5.de.freebsd.org
connecting to ftp5.de.freebsd.org:21
fetch: ftp://ftp5.de.freebsd.org/pub/FreeBSD/ports/amd64/packages-6.2-release/INDEX: Operation timed out
Source: packages-6-stable
looking up ftp5.de.freebsd.org
connecting to ftp5.de.freebsd.org:21
fetch: ftp://ftp5.de.freebsd.org/pub/FreeBSD/ports/amd64/packages-6-stable/INDEX: Operation timed out
Source: packages-6.2-release
looking up ftp.ua.freebsd.org
connecting to ftp.ua.freebsd.org:21
binding data socket
initiating transfer
remote size / mtime: 8252233 / 1164048316
/root/.cpbsdpkgs/6-8-2008.INDEX                       8058 kB  380 kBps
gdbm (1.8.3_2) is already installed.
Searching ports for courier-authlib ……………………………………………………….found courier-authlib in /usr/ports/security/courier-authlib….Done
courier-authlib (0.60.2) is already installed.
Searching ports for courier-imap ………………………………………..found courier-imap in /usr/ports/mail/courier-imap….Done
courier-imap (4.3.1,2) is already installed.
No restart required
Install Complete
Exim (maildir) Setup Script Version 20.0
exim (4.69) is already installed.
exim (4.69) is already installed.
Searching ports for portupgrade …………………………………………………..found portupgrade in /usr/ports/ports-mgmt/portupgrade….Done
portupgrade (2.4.3-2,2) is already installed.
openssh is installed
exim is installed
rdate is installed
bash is installed
ncftp is installed
wget is installed
jpeg is installed
python is installed
imap-uw is installed
png is installed

http://en.wikipedia.org/wiki/Joe_job

 
2008-06-24 13:22:26 no host name found for IP address 58.248.7.24
2008-06-24 13:22:27 H=(yahoo.com.cn) [58.248.7.24] Warning: Sender rate 4.1 / 1h
2008-06-24 13:22:28 H=(yahoo.com.cn) [58.248.7.24] F=<lkjww11@yahoo.com.cn> rejected RCPT <info@xxxxx.com>: (yahoo.com.cn) [58.248.7.24] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.