Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: How to trace Nobody Spamming?  (Read 3128 times)

0 Members and 1 Guest are viewing this topic.

lijeshk

  • Guest
How to trace Nobody Spamming?
« on: October 31, 2013, 10:59:56 am »

It may not be possible to track 'nobody' spamers by checking exim_mainlog file. We can't clearly trace out that by whom our server is being used to send spams. If we check php.ini file, we can see that the mail service is set to /usr/sbin/sendmail and almost all mail scripts are in use the built in mail(); function for PHP. ie., every such mails are going through /usr/sbin/sendmail.

We can try to get these users in your Linux Servers.

1. Login to server as root.

2. Stop exim service.
[root@server~]#/etc/init.d/exim stop

3. Backup /usr/sbin/sendmail file. [Server is using Exim as MTA (Mail Transfer Agent), Actually exim  uses sendfile for just a pointer].
[root@server~]#mv /usr/sbin/sendmail /usr/sbin/sendmail.imp

4. Now we create a spam monitoring script for the new sendmail.
[root@server~]#vi /usr/sbin/sendmail
Paste the following:
---
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spammer.log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD -  @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.imp’;
foreach  (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
---

5. Change the permissions new sendmail.
[root@server~]#chmod +x /usr/sbin/sendmail

6. New log file to save history which using web mail scripts.
[root@server~]#touch /var/log/spammer.log
[root@server~]#chmod 0777 /var/log/spammer.log

7. Start Exim.
[root@server~]#/etc/init.d/exim start

8. Now try any formmail script or any mail script which uses mail function and monitor new log file (spam_log)
[root@server~]#tail – f /var/log/spammer.log

It should give us output like this:

Mon Nov 01 11:00:00 IST 2013 – /home/username/public_html/directory/subdirectory/subsubdirectory – nobody x 99 99 Nobody / /sbin/nologin

9. Log Rotation: This file is not set to be rotated file so there is a possibility that the file grows soon in size. So please do the following:
[root@server~]#vi /etc/logrotate.conf
Find >>
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
Add >>
# SPAM LOG rotation
/var/log/spammer.log {
monthly
create 0777 root root
rotate 1
}

10. We can set attributes for new sendmail file so it will not get overwritten.
[root@server~]#chattr + i /usr/sbin/sendmail

Now we can track nobody spam users by monitoring spammer.log ... :)
Logged
Pages: [1]   Go Up
« previous next »