Spammers. One method they use - buy hosting, at low prices, or even for free, and use the host's platform to send spam. If I send it as standard, using a mail client, I would catch them quickly, because on those systems relaying without authorization is not allowed, and analyzing the mail server's log, I would realize very easily.
Another option - cgi scriptures. They are also very easy to find, because we run the cgi with suexec. The hardest part for me was finding them when they sent emails from php scripts, using the mail () function. Php scripts were run by the apache / nobody user. I could not afford to run php scripts with suexec, for several reasons - inconvenience to users, decreased system performance.
Next wrapper:
_____________ COD BEGIN ________________
#!/usr/bin/perl
# grisha /grisha at unixro.net/
# catam /cgm at prohosters.com/
#
use POSIX;
if($> != 0 ) {
my $cwd = getcwd;
my $date = `date`;
chomp $date;
my $rest;
if($ENV{'SCRIPT_FILENAME'}) {
$rest = " $ENV{'SCRIPT_FILENAME'}";
}
if(open (INFO, ">>/var/log/phpmail.log")) {
print INFO "$date $>:$cwd$rest ";
close INFO;
}
}
exec {"/usr/sbin/sendmail"} ('/usr/bin/sendmail',@ARGV);
______________ COD END ______________
We are editing the php.ini file (it can be in a lot of locations, I list a few:
/usr/local/lib/php.ini
/etc/php.ini
/etc/httpd/conf/php.ini
We find the line sendmail_path = / usr / sbin / sendmail -t -i, and modify it in sendmail_path = / usr / bin / sendmail -t -i
We save the above wrapper, in / usr / bin / sendmail, we assign execution permission to this file:
[root@cp8 tmp]# chmod +x /usr/bin/sendmail
Cream an empty /var/log/phpmail.log file
[root@cp8 tmp]# touch /var/log/phpmail.log
and we assign the corresponding permissions:
[root@cp8 tmp]# chown nobody.nobody /var/log/phpmail.log
(user running php, nobody, apache, www-data, etc. scripts)
[root@cp8 tmp]# chmod 600 /var/log/phpmail.log
With the settings so far, anyone can, without too much effort, delete / modify this log, with a script running under the nobody user (don't forget to stop the exec, system, passthru functions from php, in php.ini, example: disable_functions = exec, system, passthru)
To increase security, we add the + attribute of the respective log file.
[root@cp8 tmp]# chattr +a /var/log/phpmail.log
No one, not even root, will be able to delete / edit this file, as long as it has the + a attribute (append only, the given file can only be opened to add data, not delete / modify).
Another problem - the given file can reach impressive sizes. In this case, we modify logrotate.conf accordingly, so that before rotating the given log, the append-only attribute is removed, and then added again).
The only problem remains. Anyone who gets the rights of the user running apache, can compromise our system by a simple
dd if=/dev/zero of=/var/log/phpmail.log
The solution - quota for the apache user on this partition. Large quota, but sufficient to prevent a compromise of the system by the malefactors.
/dev/hda3 7.7G 1019M 6.4G 14% /var
mountata cu parametrii
/dev/hda3 on /var type ext3 (rw,nosuid,nodev,noexec,usrquota)
I set the quota to 500 Mb
[root@cp8 tmp]# setquota -u nobody 500000 500000 0 0 /var
Now, when someone sends you an email through the mail () function in a php script, in /var/log/phpmail.log, you will have something like:
Mon Jun 21 04:15:13 EEST 2004 - /home/gr/unixro.net - nobody x 99 99 Nobody / /sbin/nologin
Another way to send spam using php is to access / usr / sbin / sendmail directly, with functiapopen (), or using sockets.