Updating Apache using Cpanel EasyApache Published: Jun 07, 2004
  • Rating

    3/5

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Stop PHP nobody Spammers

Update: May 25, 2005:
- Added Logrotation details
- Added Sample Log Output

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su - to root.

Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:


#!/usr/local/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
 }
 else {

        print INFO "$date - $PWD -  @infon";

 }
 my $mailprog = '/usr/sbin/sendmail.hidden';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL);


Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory -  nobody x 99 99   Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
}



Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.

Enjoy knowing you can see nobody is actually somebody =)

Thanks to MattF and others who worked on this.

  • Rating

    3/5

Related Articles

Comments (10)

  • Gravatar - Steve
    Steve 00:37, March 22, 2005
    Geat tutorial, thanks!
  • Gravatar - perdana
    perdana 16:57, April 6, 2005
    hey....who r u....<br />
    am perdana from indonesian<br />
    to the point....<br />
    am dizy for cpanel ver9x<br />
    am nedded your help...<br />
    plz send to my email...<br />
    am waiting
  • Gravatar - alec
    alec 11:10, May 3, 2006
    Fab! Many thanks, saved my arse! easy to follow, simple to do!<br />
    <br />
  • Gravatar - Patrick
    Patrick 12:40, May 16, 2006
    Whenever I put /scripts/easyapache into my ssh window, easy apache auto executes and I never get to select what option I want. What gives?<br />
    <br />
    And is there a way around this happening?<br />
    <br />
    Thanks
  • Gravatar - Cristian
    Cristian 09:42, July 26, 2006
    This is a good tutorial.<br />
    Easy to follow
  • Gravatar - Wade
    Wade 06:15, October 15, 2006
    if you don't see the "options" selection and it just goes into building apache, you might need to delete the /home/cpapachebuild directory and files, and you might also need to use upcp -force FIRST. <br />
    <br />
    I had this problem but did the above and it worked.
  • Gravatar - Shanx
    Shanx 06:06, June 18, 2007
    Instead of doing it in the console, it's much better to simply use the WHM interface. It shows everything that can be set or unset, and works without unpredictable results on different platforms. Look for "Upgrade Apache" on the left hand side frame menu.
  • Gravatar - Baby
    Baby 06:03, April 30, 2008
    Upgare Apache On Cpanel<br />
    hello dears,<br />
    i have a problem with me apache and the site's settings.<br />
    my apache version is very old and i want to upgrade with the<br />
    apache 2.2,but i have a little information to do that<br />
    if there is no problem please tell me how can i upgrade my apache with cpanel manager(explain step by step)<br />
    and my server's operation is linux.<br />
    another question is: when i design a php e-mail sender and i send an e-mail to<br />
    another mail in the diffrent server when i recive that and check it , it was from another server<br />
    but the user be same, for example: my e-mail : baby@server.com but i recive babay@victim.com
  • Gravatar - Mike Spears
    Mike Spears 15:15, June 8, 2008
    Great Tutorial!<br />
    Very easy to follow.
  • Gravatar - santosh
    santosh 18:07, September 15, 2009
    Great

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2016 WebHostGear.com