how to tell which process call sendmail
So, some idiot is using a cgi or php or something to send mail out of his website that he shouldn't be sending. With a bunch of sites on the server, can't tell who. System accounting can tell me that sendmail was executed 32,976 times, but is there a way to tell what process /file name called it each time? Since it's always called by the www user that doesn't help -- I need to distinguish between legit processes that call 5 or 10 in a day and the idiot who calls the other 31,000 times. Thanks! Glenn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to tell which process call sendmail
Hi Glenn, I once wrote some (quick-and-dirty) perl script that monitors network traffic and logs (for matching outgoing connections) the process command line and (if apache) the respective vhost and request. But this would not help if they are calling the sendmail program directly to inject the message into mail queue. (Unverified guess: if you temporarily remove execute permissions on it, the execution error should probably be logged somewhere?). BTW most probably that is not your user as such, but rather some abused comment form or forum script or something like that. Best wishes Eugene -Original Message- From: Glenn McCalley Sent: Thursday, September 19, 2013 10:30 PM To: freebsd-questions@freebsd.org Subject: how to tell which process call sendmail So, some idiot is using a cgi or php or something to send mail out of his website that he shouldn't be sending. With a bunch of sites on the server, can't tell who. System accounting can tell me that sendmail was executed 32,976 times, but is there a way to tell what process /file name called it each time? Since it's always called by the www user that doesn't help -- I need to distinguish between legit processes that call 5 or 10 in a day and the idiot who calls the other 31,000 times. Thanks! Glenn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to tell which process call sendmail
On 19/09/2013 19:30, Glenn McCalley wrote: So, some idiot is using a cgi or php or something to send mail out of his website that he shouldn't be sending. With a bunch of sites on the server, can't tell who. I had a similar problem, but some time back and I can't remember *exactly* what I did. It was something like pointing mailer.conf to my own program which did some logging and then called the real sendmail. Actually, I might just have hacked mailwrapper directly. I think there was some way I managed to cross-reference to the httpd logs, or that might be what I tried to do and failed. Sorry - this may not be helping much. Another approach might be to find some likely text in the outgoing message and do a recursive grep on /home. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org