Türkce » WHM cPanel

Stop PHP nobody Spammers


Go Back   WHM/cPanel Support Platform » Türkce » WHM cPanel

LinkBack (2) Thread Tools Display Modes
  2 links from elsewhere to this Post. Click to view. #1  
Old 8. November 2007
CaLViN's Avatar
Sevgi güctür.
Join Date: Apr 2007
Location: Outta nation
Age: 35
Posts: 2,084
Rep Power: 100000
CaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond reputeCaLViN has a reputation beyond repute
Stop PHP nobody Spammers

Stop PHP nobody Spammers
- Added Logrotation details
- Added Sample Log Output

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)


We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.


10 Minutes, Root access required.

Step 1)

Login to your server and su - to root.

Step 2)

Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)

Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
[I]mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden[/I]

Step 4)

Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

[I]# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
else {[/I]
[I] print INFO "$date - $PWD - @infon";[/I]
[I] }
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
[I] open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while (<STDIN> ) {
print MAIL;
close (INFO);
close (MAIL);

[/I]Step 5)

Change the new sendmail permissions
[I]chmod +x /usr/sbin/sendmail
Step 6)

Create a new log file to keep a history of all mail going out of the server using web scripts
[I]touch /var/log/spam_log[/I]

[I]chmod 0777 /var/log/spam_log[/I]

Step 7)

Start Exim up again.
[I]/etc/init.d/exim start[/I]

Step 8)

Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
[I]tail - f /var/log/spam_log[/I]

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin

Log Rotation Details

Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
create 0664 root utmp
rotate 1
# SPAM LOG rotation
/var/log/spam_log {
create 0777 root root
rotate 1


You may also want to [I]chattr + i /usr/sbin/sendmail[/I] so it doesn't get overwritten.

Enjoy knowing you can see nobody is actually somebody =)

[SIZE=1][I] Thanks to S. Leggett[/I][/SIZE]
1.)Lütfen destek talebinde bulunmak icin özel mesaj ile iletisime gecmeyiniz.
2.)Ücretsiz destek almak icin forum sayfalarimizi kullanmaniz ayni sorunu yasayan diger üyelerin cevaplara en kisa sürede ulasabilmesi ve sizlere yardimci olmak isteyen bizlerin ve diger üyelerimizin zaman kazanmalari acisindan cok önemlidir.
3.)Forumlarimizda sorunlarinizi anlatirken mümkün oldugunca cok detay vermeniz en kisa sürede sorununuza cözüm bulmaniz acisindan mühimdir.

Daha cok ögrenmek ve ögretmek dilegiyle..

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

LinkBacks (?)
LinkBack to this Thread: http://forum.whmdestek.com/whm-cpanel/763-stop-php-nobody-spammers.html
Posted By For Type Date
Email Issue - Spam being sent from nobody@'myserver' any help ??? - Web Hosting Talk - The largest, most influential web hosting community on the Internet This thread Refback 4. March 2008 22:09
gerhardlazu's bookmarks tagged with This thread Refback 12. February 2008 13:38