I'm a bit new to this game, but I think this might be useful:
Are you sure that the spam is being sent through your mailserver?
(Couldn't the spam script just directly connect to the recipent's mail
server?)
And if you think the spam is going through your server:
PHP's documentation on "mail()" states that it executes the sendmail cmd
from the shell to send mail. If you are executing php scripts as a CGI
[on linux], then you could write a tiny wrapper to replace the sendmail
executable with a script that does a little logging before calling the
real one. Use something like the "getppid" function to get the parent
process ID {parent == the php-cgi executable} and then you can log the
contents of various things in "/proc/{$PID}/" to a file:
Here is a short example that writes a few juicy tidbits to a file in /tmp:
#!/usr/bin/php
<?php
$fd = fopen("/tmp/mail.txt","a");
$parent_pid = posix_getppid();
$parent_exe = readlink( "/proc/${parent_pid}/exe" );
$parent_cmd =
join("\t",explode(chr(0),file_get_contents("/proc/${parent_pid}/cmdline")));
$parent_dir = readlink( "/proc/${parent_pid}/cwd" );
fwrite($fd, "Parent executable file is [${parent_exe}]\n");
fwrite($fd, "Parent cmdline was [${parent_cmd}]\n");
fwrite($fd, "Parent work dir was [${parent_dir}]\n\n");
fclose($fd);
?>
Something like this with a bit of extra logging for the current
command-line arguments (e.g. the ones intended for sendmail), might help
you find which script is sending which emails)
-Alex
On Fri, 24 Feb 2006, Rainer Duffner wrote:
Hello,
I have a big problem. Some customer probably got installed a PHP-script that
allows to send-out mails with no trace to the original domain it belongs to
(we had this before, were pollvote.php was used to install some kind of
web-shell - but it was easily detectable which domain it was).
The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to
anything useful.
I'm currently grep'ing the whole content for some of the email-addresses
used, but I'm pessimistic - it may be that the spammer loads even that list
from remote - and it takes a lot of time to grep 400 GB.
What options do I have?
Can Snort detect this?
(The webserver uses qmail as MTA)
cheers,
Rainer
