Re: How to determine which PHP-script allows spamming?

[Alex <incidents () alex gotdns org>]

I'm a bit new to this game, but I think this might be useful:

Are you sure that the spam is being sent through your mailserver? 
(Couldn't the spam script just directly connect to the recipent's mail 
server?)


And if you think the spam is going through your server:

PHP's documentation on "mail()" states that it executes the sendmail cmd 
from the shell to send mail.  If you are executing php scripts as a CGI 
[on linux], then you could write a tiny wrapper to replace the sendmail 
executable with a script that does a little logging before calling the 
real one.  Use something like the "getppid" function to get the parent 
process ID {parent == the php-cgi executable} and then you can log the 
contents of various things in "/proc/{$PID}/" to a file:

Here is a short example that writes a few juicy tidbits to a file in /tmp:

#!/usr/bin/php
<?php
$fd = fopen("/tmp/mail.txt","a");
$parent_pid = posix_getppid();
$parent_exe = readlink( "/proc/${parent_pid}/exe"         );
$parent_cmd = join("\t",explode(chr(0),file_get_contents("/proc/${parent_pid}/cmdline")));
$parent_dir = readlink( "/proc/${parent_pid}/cwd"         );

fwrite($fd, "Parent executable file is  [${parent_exe}]\n");
fwrite($fd, "Parent cmdline         was [${parent_cmd}]\n");
fwrite($fd, "Parent work dir        was [${parent_dir}]\n\n");
fclose($fd);
?>

Something like this with a bit of extra logging for the current 
command-line arguments (e.g. the ones intended for sendmail), might help 
you find which script is sending which emails)

-Alex




On Fri, 24 Feb 2006, Rainer Duffner wrote:

> Hello,
>
> I have a big problem. Some customer probably got installed a PHP-script that 
> allows to send-out mails with no trace to the original domain it belongs to 
> (we had this before, were pollvote.php was used to install some kind of 
> web-shell - but it was easily detectable which domain it was).
>
> The problem is that I have close to 10000 domains  on my cluster.
> I tried to correlate httpd-logs with the maillogs, but it didn't lead to 
> anything useful.
> I'm currently grep'ing the whole content for some of the email-addresses 
> used, but I'm pessimistic - it may be that the spammer loads even that list 
> from remote - and it takes a lot of time to grep 400 GB.
>
>
> What options do I have?
> Can Snort detect this?
>
> (The webserver uses qmail as MTA)
>
>
>
> cheers,
> Rainer