HOWTO: Log sendmail abuse

[Gerd29]

Hi all,

This is how i log sendmail abuse atm.
Please feel free to improve anything

note that ussing a passtrue like this aint the most secure way todo it.
If u know a solution for this, please let me know.


1. Create this file on your server
/usr/local/lib/php/begin.inc.php

add the following:

<?php
putenv("PATH_INFO=". $_SERVER["PATH_INFO"]);
putenv("SCRIPT_NAME=". $_SERVER["SCRIPT_NAME"]);
putenv("SCRIPT_FILENAME=". $_SERVER["SCRIPT_FILENAME"]);
putenv("REMOTE_ADDR=". $_SERVER["REMOTE_ADDR"]);
putenv("HTTP_HOST=". $_SERVER["HTTP_HOST"]);
?>

2. Open your php.ini file and add this:
auto_prepend_file = /usr/local/lib/php/begin.inc.php
sendmail_path = /usr/local/bin/phpsendmail

3. Create the following file and add the code to it

nano /usr/local/bin/phpsendmail

#!/usr/local/bin/php
<?php
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/mail_php.log';

//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');

while ($line = fgets($pointer)) {
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
                $logline .= trim($line).' ';
        }
        $mail .= $line;
}

//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' ';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
$command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}

file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $_ENV['PWD'] . ' ' . $_ENV['PATH_INFO'] . ' ' . $_ENV['SCRIPT_NAME'] . ' ' .
$_ENV['SCRIPT_FILENAME'] . ' ' . $_ENV['REMOTE_ADDR'] . ' ' . $_ENV['HTTP_HOST'] . '' . $logline . '\n',
FILE_APPEND);
//* Execute the command
return shell_exec($command);
?>

4. chmod and tocuh the following files

chmod +x /usr/local/bin/phpsendmail
touch /var/log/mail.form
chmod 777 /var/log/mail.form

5. restart your webserver

service httpd restart

6. test it

put this script on 1 of your domains and call it from the browser

<?php
mail('[email protected]','This is a test message subject','This is a test message body');
echo 'Mail sent.'; 
?>

7. Your done!

cat /var/log/mail.form

If u want all domains to act on this, also set these files

/usr/local/directadmin/data/templates/virtual_host.conf
/usr/local/directadmin/data/templates/virtual_host2.conf

if u use ssl u need to change the secure files to.

change the sendmail path to

/usr/local/bin/phpsendmail

if ur done run
"action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d

 

[LawsHosting]

If you disable some functions like fopen, etc, will it still work?

 

[Gerd29]

Sure why not?
aslong u dont disable shell exec etc..

 

[nobaloney]

Exctly what is the form of log entries?

Jeff

 

[Gerd29]

Script location, ipnumber of the user calling it, from and to email.

 

[floyd]

I used something similar a few years back and it broke DA's ticket system.

http://www.webhostgear.com/232.html

Please check to make sure the ticket system still works.


.

 

[scsi]

I dont like the idea of having to enable any form of php exec. Why cant it just be a shell script instead of a php script?

I think a perl or bash script should work just fine.

As far as breaking the ticket system. Thats very interesting. I bet the ticket system calls the sendmail binary directly instead of via php. I am wondering what is different with the perl script vs the direct call. Maybe there is some flag it is passing that the perl script doesnt like. I would have to mess around with it to check that out personally.

 

[Gerd29]

I dont think the use of exec is a problem in this setup.

1. A hacker or abuser will never ever know that it is passed true by php
2. and even if a hacker knows it, you wil detect it very fast.

But if there is a shell version, i would recommend it do, but not fur security reason but just for speed.