July 02, 2009

server management, apache tutorials, hosting tutorials, cpanel, server security

Advanced Search

Categories:

Blog

Reviews

Web Hosting News

Site Related:

Submit Article

Advertise

About Us

Partners

RSS Syndicate

Write for us

Recommend Us

Disclaimer

Free Newsletter:

Subscribe to our free newsletter and receive, tutorials, reviews and more all related to the hosting industry.

Home / Hosting Tutorials / Server Security / Stop PHP nobody Spammers

Stop PHP nobody Spammers

Printer Friendly

Send to a friend

By : ramprage

Rating :

Stop PHP nobody Spammers

Update: May 25, 2005:
- Added Logrotation details
- Added Sample Log Output

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su - to root.

Article provided by WebHostGear.com

Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.

Enjoy knowing you can see nobody is actually somebody =)

Thanks to MattF and others who worked on this.

New! - Need server help? Hire an Expert

Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.

» Stop Spam At The Server with Exim RBL
» HOW TO: Allow SMTP through port 26

Discuss this article with others in our new hosting forums

Comments / Feedback

Jerry404
Could you put example spam_log output? I think i got it to work on Redhat9/Cpanel system, however information recorded seems to be limited to Date/Location of the script. Which is a lot anyway, howeve rlooking at the $variables in the script I expected more info.

VexT
Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - -
Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - -

Haloweb
I tried to get this working on Redhat9/Cpanel but although it recorded all the php sendmail attempts it was not sending the actual mail - any ideas ?

ScottsdaleHosting
Haloweb,

Did you move the original /usr/sbin/sendmail to /usr/sbin/sendmail.hidden exactly as it stated in the tutorial. You have to rename your actual sendmail file to sendmail.hidden because the new spam catching sendmail script is calling upon sendmail.hidden to actually do the delivering of the message.

VexT
The spam_log doesn't seem to have any line breaks. Great stuff especially if that could be addressed.

Snowman
Great tute.

For adding the log to logrotate will the following work?

/var/log/spam_log {
missingok
postrotate
endscript
}

and if so should this be added to the bottom of logrotate.conf or to the /etc/logrotate.d/exim file????

Snowman
Unfortunately this hack stopped working for no apparent reason after about 24 hours, all mail was lost wiht nothign getting thru at all until i removed it :(

Its a pity cause it was a great idea.

Steve
Did you ensure you did
chattr + i /usr/sbin/sendmail
and also check the permissions? It sounds like Cpanel did an automatic update and overwrote your changes.

Craig
Hello

This is a nice tutorial, but some things:

(1) If we are disabling the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code? This has not been addressed. If we clearly specify the SMTP.MYDOMAIN.COM in our PHP code, will that work?

(2) How exactly can we add the EXIM file to logrotate? I use cPanel 10.0.0-R161 .

Thanks, and if you reply, kindly send a note to my email address as well.

CM

Steve
You can add the following to get it rotating.

pico /etc/logrotate.conf

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Article updated with this as well.

Andrew
As someone mentioned, can line breaks be added to make the logs more readable?

Thanks.

Andrew
**UPDATE** this tutorial does not work!! It will break the PHP mailer function, no mail got delivered for any of our clients while using this hack.

Andrew

Vincent
To add the linebreak, simply change

print INFO "$date - $PWD - @infon";

to

print INFO "$date - $PWD - @infon /n/n";

Mak
it working fine, but there should be more enhancement, How about destination email
and what about generating rss feed of new spams?

Mark
How about more improvment like
1) Destination email
2) user
3) script path
and then generating RSS file of the result
would it be cool and useful ?

mic
I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail - any ideas ?

Susan
I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail

PHP
When running this:
chattr + i /usr/sbin/sendmail

It gives:
chattr: No such file or directory while trying to stat i

I have verified that the file exists by opening it.

What can be done?

dt
To PHP: just remove the space between + and i and it will work.

behzad
This hack only delivers to local emails. an error occuring when try to send mail out, like yahoo mail:

xxxxx@yahoo.com R=fail_remote_domains: unrouteable
mail domain "yahoo.com"

ogy
it would be chattr +i /usr/bin/sendmail

MCT
PHP -- get rid of the space between the + and the i, should look like:
chattr +i /usr/sbin/sendmail

Got this working well, but started getting these silly messages like "- - user x 33333 33334 /home/user /usr/local/cpanel/bin/noshell" in the log file. Little snooping and it turned out to be message forwards to emails on the same server set up by clients in cpanel. Very scary at first, as it looks like spammer activity!

someone
You people do know that this is VERY insecure and not properly written, right?

Do me a favor and just do this as root:

perl -le 'print getpwudi($<);'

You will see roots password hash.

perl -le '$,=":"; @info = getpwnam((getpwuid($<))[0]); delete(@info[1]); print @info;'
root::0:0:::root:/root:/bin/bash

well well, isn't that better.

and what's up with this 0777 ****? sense when does a logfile need to have execute permissions anyways?

What needs to be done here is use the syslog facility.

Please people, do not blindly use scripts from the internet without knowing what they are doing first.

Stephen
How can i uninstall this script?

My clientexec script stop sending invoice...

Yujin
To uninstall the script, do

rm -f /usr/sbin/sendmail
mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail

M.A
I cannot send a mail from PHP program with mail() function .

What should I do ?

Taz
Mine logs aswell ( not cleanly no line breaks) but the email doesnt get delivered. plz help

hz
I can´t see anymore spam_log, only appears: - - - - - instead /home/user/script.cgi

Thomas
Hi
hmm, I just implemented your script and it is working perfectly. thanks

The output I have is like
Tue Nov 22 17:29:20 CET 2005 - 127.0.0.1 ran at xx.xx.xxx.xx n
(only hide my ip)
could somebody explain me what that means?

Tamouh
Additionally, you can monitor EXIM logs and find out which script path initiated the spam by adding this line in the start of your EXIM config file (This should be al in one line):

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error

emeric Olenga
how to clean up tail - f /var/log/spam_log when is big?

Bhavik
If we are disable the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code. Can anybody help me out?

Lukas
i got a logs like this one: how i can locate a spammer ?

myip nTue Dec 20 14:32:46 CET 2005 - 83.29.68.195 ran at
myip nTue Dec 20 14:33:12 CET 2005 - 83.29.68.195 ran at
myip nTue Dec 20 14:33:19 CET 2005 - 83.29.68.195 ran at

Cem
Hi,

Thank you for that great tutorial. Can you make it more advanced?

SAINT
If you are running Cpanel you can do the same thing clicking "tweak settings" under Server Configurations. This fixed the Spam problem and did not break the mail scripts.

jayesh
please reply this query

i m using mail function to send mails in php they get sent in bulk folder.
i want to send them in inbox
how do i do
help????

Hitesh Kachru
Can this be done on Qmail with Plesk CP. How to do this in Qmail?

kailas
but how will I know that there is PHP nobody Spammers and I have to do the above . please assist me with this

Prabash32
This article is of great use for us...
working fine on our servers...
mmmmmm Great..!!!!!!!!!

Thanks

Nixon Girard
SENSATIONAL

codeunix
i have a big problem, i cant send any email, i get Mail delivery system error that emai lwas not delivered, please help me out :(

thanks

bobby
hi,
just curiose, why do i see sendmail processes for users even if they have no script installed that use sendmail?

Thanks

ME
I get this error when i log as root
/usr/sbin/sendmail: Exec format error

Me
Yujin
To uninstall the script, do

rm -f /usr/sbin/sendmail
mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail
============================

rm: cannot remove `/usr/sbin/sendmail': Operation not permitted
root@home [~]#

any soluation ???

Steve
chattr -i sendmail myabe?
Or try lsattr sendmail to see if it has any special permissions set. You might have to shut down the mail server beforeyou can remove it if a process is using that it won't be able to remove.

Richard
Has anyone tried the above changes using Dovecot, instead of sendmail? I can't really find info about that :-(

justin
The idea is great. But nobone has futher explained the need for 0777 for the logs.
isn't that a point.(by someone)

:)

Rafal
Great article! Im using this on every my server

Edward
I cant get this to log or send mail out. It just fails! Anyone got any experience as to why?

System: Fedora Core 3
Mail: Postfix

abdalla
it`s not working

not secure

just read ur exim logs and throw it away

bye

ldaap
This script does not work with plesk panel, becouse when i implemented the server stop send emails by this way

behnam sarfarazi
how i can to know who is spammer in the log ?

Dennis
Great script. Works for all my servers, except for the new one.

The new one with newest Plesk/Qmail will fail to send mail using this script.

matt
This looks a bit outdated, but the script has a few errors.

Please note @infon looks as though it should be @infon

Edward
Hi,

I'm trying to add the line break in the spam log, But it is not working. I changed the line:
print INFO "$date - $PWD - @infon";
to
print INFO "$date - $PWD - @infon /n/n";
But not working. :-(

Also can we see the exact script/file name in the log like the one described by VexT

VexT
Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - -
Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - -

I am only getting only the corresponding directory and not file. Please see the results from my server:

# tail -f /var/log/spam_log
Sun Apr 27 01:16:54 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - / - Sun Apr 27 01:17:40 EEST 2008

Please advice.

Thanks.

Randy Henderson
This seems dated, none of the "this works great" comments had a date (the last one said Apr 27 from the logs but who knows what year). Since cPanel 11 I am not sure this would work.

But the jewel in reading all this was Tamouh's post. This works great with putting who sent the email through the exim log where it should be.

The only difference between what Tamouh post and what I am using is I also added +subject to my configuration.

November 2008

Our site offers free hosting tutorials, cpanel tutorial, web hosting news, shell commands, running a web hosting business, dedicated guides, linux tutorial, apache install, home web server, web server guide, ssh commands, dedicated servers, DNS nameservers, chkrootkit, apf firewall, exim configuration, server compromised, cron backup solution, ftp backup script

WebHostGear Reviewed by Ping Zine - Click here

Links:

Lunarpages Coupon

Stop PHP nobody Spammers

New! - Need server help? Hire an Expert

Related Articles