Stop abuse of PHP mail () function

Spammers. One method they use - buy hosting, at low prices, or even for free, and use the host's platform to send spam. If I send it as standard, using a mail client, I would catch them quickly, because on those systems relaying without authorization is not allowed, and analyzing the mail server's log, I would realize very easily.

Another option - cgi scriptures. They are also very easy to find, because we run the cgi with suexec. The hardest part for me was finding them when they sent emails from php scripts, using the mail () function. Php scripts were run by the apache / nobody user. I could not afford to run php scripts with suexec, for several reasons - inconvenience to users, decreased system performance.

Next wrapper:

_____________ COD BEGIN ________________
# grisha /grisha at
# catam /cgm at
use POSIX;
if($> != 0 ) {
my $cwd = getcwd;
my $date = `date`;
chomp $date;
my $rest;
$rest = " $ENV{'SCRIPT_FILENAME'}";
if(open (INFO, ">>/var/log/phpmail.log")) {
print INFO "$date $>:$cwd$rest ";
close INFO;
exec {"/usr/sbin/sendmail"} ('/usr/bin/sendmail',@ARGV);
______________ COD END ______________

We are editing the php.ini file (it can be in a lot of locations, I list a few:


We find the line sendmail_path = / usr / sbin / sendmail -t -i, and modify it in sendmail_path = / usr / bin / sendmail -t -i

We save the above wrapper, in / usr / bin / sendmail, we assign execution permission to this file:

[root@cp8 tmp]# chmod +x /usr/bin/sendmail

Cream an empty /var/log/phpmail.log file

[root@cp8 tmp]# touch /var/log/phpmail.log

and we assign the corresponding permissions:

[root@cp8 tmp]# chown nobody.nobody /var/log/phpmail.log

(user running php, nobody, apache, www-data, etc. scripts)

[root@cp8 tmp]# chmod 600 /var/log/phpmail.log

With the settings so far, anyone can, without too much effort, delete / modify this log, with a script running under the nobody user (don't forget to stop the exec, system, passthru functions from php, in php.ini, example: disable_functions = exec, system, passthru)

To increase security, we add the + attribute of the respective log file.

[root@cp8 tmp]# chattr +a /var/log/phpmail.log

No one, not even root, will be able to delete / edit this file, as long as it has the + a attribute (append only, the given file can only be opened to add data, not delete / modify).

Another problem - the given file can reach impressive sizes. In this case, we modify logrotate.conf accordingly, so that before rotating the given log, the append-only attribute is removed, and then added again).

The only problem remains. Anyone who gets the rights of the user running apache, can compromise our system by a simple

dd if=/dev/zero of=/var/log/phpmail.log

The solution - quota for the apache user on this partition. Large quota, but sufficient to prevent a compromise of the system by the malefactors.

/dev/hda3 7.7G 1019M 6.4G 14% /var
mountata cu parametrii
/dev/hda3 on /var type ext3 (rw,nosuid,nodev,noexec,usrquota)

I set the quota to 500 Mb

[root@cp8 tmp]# setquota -u nobody 500000 500000 0 0 /var

Now, when someone sends you an email through the mail () function in a php script, in /var/log/phpmail.log, you will have something like:

Mon Jun 21 04:15:13 EEST 2004 - /home/gr/ - nobody x 99 99 Nobody / /sbin/nologin

Another way to send spam using php is to access / usr / sbin / sendmail directly, with functiapopen (), or using sockets.


Utilizator Linux - Solus OS, pasionat de calatorii.
  • | 2708 articole

Nici un comentariu inca. Fii primul!
  • powered by Verysign