Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to determine which PHP-script allows spamming?

from [Alex] Network Security [Permanent Link]
Subject: Re: How to determine which PHP-script allows spamming?
Date: Fri, 24 Feb 2006 23:14:45 -0600 (CST) 
I'm a bit new to this game, but I think this might be useful:

Are you sure that the spam is being sent through your mailserver? (Couldn't the spam script just directly connect to the recipent's mail server?)


And if you think the spam is going through your server:

PHP's documentation on "mail()" states that it executes the sendmail cmd from the shell to send mail. If you are executing php scripts as a CGI [on linux], then you could write a tiny wrapper to replace the sendmail executable with a script that does a little logging before calling the real one. Use something like the "getppid" function to get the parent process ID {parent == the php-cgi executable} and then you can log the contents of various things in "/proc/{$PID}/" to a file:

Here is a short example that writes a few juicy tidbits to a file in /tmp:

#!/usr/bin/php
<?php
$fd = fopen("/tmp/mail.txt","a");
$parent_pid = posix_getppid();
$parent_exe = readlink( "/proc/${parent_pid}/exe"         );
$parent_cmd = 
join("\t",explode(chr(0),file_get_contents("/proc/${parent_pid}/cmdline")));
$parent_dir = readlink( "/proc/${parent_pid}/cwd"         );

fwrite($fd, "Parent executable file is  [${parent_exe}]\n");
fwrite($fd, "Parent cmdline         was [${parent_cmd}]\n");
fwrite($fd, "Parent work dir        was [${parent_dir}]\n\n");
fclose($fd);
?>

Something like this with a bit of extra logging for the current command-line arguments (e.g. the ones intended for sendmail), might help you find which script is sending which emails)

-Alex




On Fri, 24 Feb 2006, Rainer Duffner wrote:

Hello,

I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).

The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful.
I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.


What options do I have?
Can Snort detect this?

(The webserver uses qmail as MTA)



cheers,
Rainer





[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: Bizarre traffic, Dick St.Peters
Next by Date:  Re: How to determine which PHP-script allows spamming?, Andre Yelistratov
Previous by Thread:  How to determine which PHP-script allows spamming?, Rainer Duffner
Next by Thread:  Re: How to determine which PHP-script allows spamming?, Andre Yelistratov
Indexes:  [Date] [Thread] [Top] [All Lists]