Re: how to tell what ran what
On Wed, Feb 15, 2006 at 03:31:46PM -0500, Glenn McCalley wrote: > If I can get a list of what programs, path and file name, called > sendmail over (say) the last 24 hours, one of them should jump off the > page with an unreasonable level of activitiy. A dirty hack would be to replace the sendmail binary with a script (or program) which records info about the parent process to some world- writable file or directory (perhaps create a unique file under a dir with perms 1773 owned by root:staff) before exec'ing the "real" sendmail binary. -- - Tim Utschig <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
On 2/16/06, Greg Barniskis <[EMAIL PROTECTED]> wrote: > Glenn McCalley wrote: > > > Thanks Brian, that's already tonights project to run through those logs and > > see if anything jumps out there. What I think he might be doing is either > > POSTing the parameters (which won't show up) or he's loaded a file of email > > addresses and just triggers the mailer with a simple cgi request. Either > > way he's got to be calling sendmail or mail to get it out the door I > > believe. > > Actually, they can use a number of other ways to create the outbound > SMTP connections. Perl, for instance, offers the Net::SMTP module > (and numerous others that'd do the trick). They don't need to call > on binaries outside of their own cgi-bin or leave any tracks for you > other than a web access log entry. > > You might consider putting your customers in jails with unique IP > numbers as a way to better strain out whose CGI is the source of > what packets on your network. Probably not a trivial change to your > working environment, but maybe worth it in the long run. > You might want to consider setting up named virtualhosts with suexec so each host runs as it's own user. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
Glenn McCalley wrote: Thanks Brian, that's already tonights project to run through those logs and see if anything jumps out there. What I think he might be doing is either POSTing the parameters (which won't show up) or he's loaded a file of email addresses and just triggers the mailer with a simple cgi request. Either way he's got to be calling sendmail or mail to get it out the door I believe. Actually, they can use a number of other ways to create the outbound SMTP connections. Perl, for instance, offers the Net::SMTP module (and numerous others that'd do the trick). They don't need to call on binaries outside of their own cgi-bin or leave any tracks for you other than a web access log entry. You might consider putting your customers in jails with unique IP numbers as a way to better strain out whose CGI is the source of what packets on your network. Probably not a trivial change to your working environment, but maybe worth it in the long run. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
On 2/15/06, Glenn McCalley <[EMAIL PROTECTED]> wrote: > > - Original Message - > From: "Björn König" <[EMAIL PROTECTED]> > To: "Glenn McCalley" <[EMAIL PROTECTED]> > Cc: > Sent: Wednesday, February 15, 2006 11:13 AM > Subject: Re: how to tell what ran what > > > > Glenn McCalley schrieb: > > > > > Is there a way to find out -which- -process- calls another process? > > > > Each process is associated with a parent; look at the ppid column: > > > >ps axo user,pid,ppid,command > > > > Björn > > > > > Thanks, I stated the question poorly. My fault. > Is historical info available and is it available by file name? > > I trying to find out (for example) what (unknown) program ran another > (known) program between 0900 and 1000 yesterday - something like that. > > I've got a customer sending our emails that he shouldn't - I don't know > which customer it is. The program that sends the mail is running as a cgi > so it all shows up as user "nobody". > > If I can get a list of what programs, path and file name, called sendmail > over (say) the last 24 hours, one of them should jump off the page with an > unreasonable level of activitiy. > > Thanks! > Glenn. Perhaps I'm missing something, but if a script is being called via CGI it would need to be called by a process running as user "nobody" in your case (like a web server). In which case, you probably will never know who called it, but you might get their IP address from the web server access logs as has already been mentioned... If you have a server with multiple accounts for say, shared web hosting, you should definitely grep through their scripts for something like "mail" to look for the person who installed scripts with mailing functions... anyhow, wish you luck :-) Aaron ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
Glenn McCalley wrote: Glenn McCalley schrieb: Is there a way to find out -which- -process- calls another process? Each process is associated with a parent; look at the ppid column: ps axo user,pid,ppid,command Björn Thanks, I stated the question poorly. My fault. Is historical info available and is it available by file name? I trying to find out (for example) what (unknown) program ran another (known) program between 0900 and 1000 yesterday - something like that. I've got a customer sending our emails that he shouldn't - I don't know which customer it is. The program that sends the mail is running as a cgi so it all shows up as user "nobody". If I can get a list of what programs, path and file name, called sendmail over (say) the last 24 hours, one of them should jump off the page with an unreasonable level of activitiy. The web server logs don't tell you anything in the URL data? A CGI script usually has some parameters which might provide some assistance. brian -- Brian Sobolak http://www.planetshwoop.com/ Thanks Brian, that's already tonights project to run through those logs and see if anything jumps out there. What I think he might be doing is either POSTing the parameters (which won't show up) or he's loaded a file of email addresses and just triggers the mailer with a simple cgi request. Either way he's got to be calling sendmail or mail to get it out the door I believe. Thanks! Glenn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Another option would be to search CGI directories and grep files for 'sendmail'.. if the CGI script calls sendmail externally and it's written in any non-compiled binary (usually are) - you should be able to grep 'sendmail' * in each cgi-enabled dir and find the cuplrit. I've had this happen quite often with my hosting customers, where they put up a simple Perl script that pipe's it's output to sendmail, and abusers (not customers), and someone embeds an email in the 'comments' field or similar by adding header fields. There are of course numerous ways to get around this. I find human-readable images are amongst the best way and are very easily implemented (took me a whole 20mins to write the code to do it generically accross all system for all hosting customers). (ie: http://www.wmptl.com/cgi-bin/contact.pl) - other ways include stripping colons from all fields returned via forms, etc. Just bear in mind, it may be a customer's script causing spam/etc... but may not be their intention nor fault either. You'll always do better to approach them with a solution than a complaint. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate & Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
> > > > > >> Glenn McCalley schrieb: > >> > >> > Is there a way to find out -which- -process- calls another process? > >> > >> Each process is associated with a parent; look at the ppid column: > >> > >>ps axo user,pid,ppid,command > >> > >> Björn > >> > >> > > Thanks, I stated the question poorly. My fault. > > Is historical info available and is it available by file name? > > > > I trying to find out (for example) what (unknown) program ran another > > (known) program between 0900 and 1000 yesterday - something like that. > > > > I've got a customer sending our emails that he shouldn't - I don't know > > which customer it is. The program that sends the mail is running as a cgi > > so it all shows up as user "nobody". > > > > If I can get a list of what programs, path and file name, called sendmail > > over (say) the last 24 hours, one of them should jump off the page with an > > unreasonable level of activitiy. > > > > The web server logs don't tell you anything in the URL data? A CGI script > usually has some parameters which might provide some assistance. > > brian > > > -- > Brian Sobolak > http://www.planetshwoop.com/ > > Thanks Brian, that's already tonights project to run through those logs and see if anything jumps out there. What I think he might be doing is either POSTing the parameters (which won't show up) or he's loaded a file of email addresses and just triggers the mailer with a simple cgi request. Either way he's got to be calling sendmail or mail to get it out the door I believe. Thanks! Glenn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
Glenn McCalley wrote: > > - Original Message - > From: "Björn König" <[EMAIL PROTECTED]> > To: "Glenn McCalley" <[EMAIL PROTECTED]> > Cc: > Sent: Wednesday, February 15, 2006 11:13 AM > Subject: Re: how to tell what ran what > > >> Glenn McCalley schrieb: >> >> > Is there a way to find out -which- -process- calls another process? >> >> Each process is associated with a parent; look at the ppid column: >> >>ps axo user,pid,ppid,command >> >> Björn >> >> > Thanks, I stated the question poorly. My fault. > Is historical info available and is it available by file name? > > I trying to find out (for example) what (unknown) program ran another > (known) program between 0900 and 1000 yesterday - something like that. > > I've got a customer sending our emails that he shouldn't - I don't know > which customer it is. The program that sends the mail is running as a cgi > so it all shows up as user "nobody". > > If I can get a list of what programs, path and file name, called sendmail > over (say) the last 24 hours, one of them should jump off the page with an > unreasonable level of activitiy. > The web server logs don't tell you anything in the URL data? A CGI script usually has some parameters which might provide some assistance. brian -- Brian Sobolak http://www.planetshwoop.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
- Original Message - From: "Björn König" <[EMAIL PROTECTED]> To: "Glenn McCalley" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, February 15, 2006 11:13 AM Subject: Re: how to tell what ran what > Glenn McCalley schrieb: > > > Is there a way to find out -which- -process- calls another process? > > Each process is associated with a parent; look at the ppid column: > >ps axo user,pid,ppid,command > > Björn > > Thanks, I stated the question poorly. My fault. Is historical info available and is it available by file name? I trying to find out (for example) what (unknown) program ran another (known) program between 0900 and 1000 yesterday - something like that. I've got a customer sending our emails that he shouldn't - I don't know which customer it is. The program that sends the mail is running as a cgi so it all shows up as user "nobody". If I can get a list of what programs, path and file name, called sendmail over (say) the last 24 hours, one of them should jump off the page with an unreasonable level of activitiy. Thanks! Glenn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to tell what ran what
Glenn McCalley schrieb: Is there a way to find out -which- -process- calls another process? Each process is associated with a parent; look at the ppid column: ps axo user,pid,ppid,command Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"