How-To: Find PHP Nobody Spammers

Script/Code Credit - MattF @ WebHostingTalk.com
http://www.webhostingtalk.com/member.php?s=&action=getinfo&userid=979


A big problem today is the abundance of Spammers listing as "Nobody". The script below which was a previously written script modified by MattF(http://www.webhostingtalk.com/membe...info&userid=979). This tutorial will outline how to properly set it up on Cpanel based systems.

root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real
// backup your existing sendmail in the event of an error.

root@yourserver [~]# pico /usr/sbin/sendmail
// Open this badboy up, now paste the code below into it.
Code:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);


Now save the work above...

root@yourserver [~]# chmod +x /usr/sbin/sendmail
// make sendmail executable

root@yourserver [~]# echo > /var/log/formmail.log

root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)

root@yourserver [~]# pico /var/log/formmail.log
// above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam. In the past without this script it would list them as "Nobody". With the script in place it lists the user and where the mail is being setn from.

--------------------------------------------------------------------------

As always it's a good idea to routinely check who and how many perl processes are running as this is also another large gateway for outgoing spam.

root@yourserver [~]# ps aux | grep perl
// if you see a user with one to many perl processes running, and nothing much going on at his site, in most cases that i've seen this is the source of spam.
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Cpanel WHM - Frequently Asked Questions

From: http://www.cpanel.net/docs/whm/FAQ.htm FAQ Q: I'm having server problems but...

Many services are down in Cpanel

First login as 'root' to your server via SSH. Once you have logged in run the following...

Securing WHM/Cpanel

Basic Steps to Securing CPanel (Linux based OS): These are items inside of WHM/Cpanel that...

Invalid Cpanel License

If you get Invalid License File when you login to cpanel after a hostname change you need to...

Rebuild Apache

First login as 'root' via ssh to your server. Then run the following commands. cd...

Powered by WHMCompleteSolution