SPAM email PHP Plesk

The Originail post is from http://www.uk-cheapest.co.uk/blog/2012/01/how-to-find-an-anonymous-spammer-on-a-plesk-server/
 
1) Let’s take a look in the mail queue and read one of those spam email references:
# /var/qmail/bin/qmail-qread

remote ankush_krishna2137@yahoo.com
6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.microlite8.com>
2) Now we have a message ID, let’s search for the actual message:
# find /var/qmail/queue/ -name 34012584

/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584
3) Great! Now let’s see what’s in the message to get out that all telling UID:
# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <20120106091450.9934.qmail@server.microliteX.com>
To: annette@recdom.wandoo.co.uk
Subject: Urgent Reply
From: Mrs.Farida Waziri <faridawaziri@hotmail.com>
4) Let’s map the UID to a domain name on the Plesk server:
# cat /etc/passwd | grep 10820

admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false
5) Spammer caught :D
 
 
The originail post is from http://kb.parallels.com/en/1711

Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?


Article ID: 1711
Created On: Feb 20, 2007
Last Review: Apr 7, 2013
Views:



APPLIES TO:
  • Parallels Plesk Panel

Resolution

Note: This article is for Qmail, if you are using Postfix mail server see this article instead:

114845 Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?
Warning: using this method may increase server load due to additional steps of processing for each message submitted to local mail server. If you experience problems with high server load after applying instructions on step #2, revert them using instructions in step #3.

There is a way to determine from what folder the PHP script that sends mail was run. Note: Depending on your OS and Plesk version, the paths can slightly differ from those listed below.

1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Note, it should be two lines including '#!/bin/sh'.
2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
3) Wait for an hour and change back sendmail:

~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located.
You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.



Script to clean up the SPAM (copy and paste in the command line):

for i in `/var/qmail/bin/qmail-qread |awk -F"#" '{print $2}' |awk '{print $1}' |sort |grep [0-9]`; do  find /var/qmail/queue/ -name $i >> /tmp/SPAM01; done

for j in `cat /tmp/SPAM01`; do rm -rf $j; done

Comments

Post a Comment

Popular posts from this blog

VIOS TIPs

HMC image locates: /extra/viosimages/2.2.3.4 To install VIO server from HMC: installios To erase the previous setting: installios -u hscroot@P7504HMC:~> cat /etc/nimol.conf # nimol.conf file NIMOL_SERVER 9.22.217.30 ORIGINAL_FILES_DIR /var/tmp/nimol_original RPCBIND_STARTED yes NFS_STARTED yes REMOTE_ACCESS_METHOD /usr/bin/rsh NIMOL_TFTPBOOT /tftpboot TFTP_ENABLED yes REMOTE_SYSLOG_ENABLED yes HMC_SYSLOG_CONF_MODIFIED yes NIMOL_SYSLOG_FACILITY local2 NIMOL_SUBNET 9.22.217.0 NIMOL_BOOTREPLYD yes LABEL default1 /extra/default1 processing hscroot@P7504HMC:~>  installios -F -e -R default1 Logging session output to /tmp/installios.24173.log. nimol_config WARNING: error from command /bin/awk nimol_config MESSAGE: Executed /usr/sbin/exportfs -ua. nimol_config MESSAGE: Executed /usr/sbin/exportfs -a. nimol_config MESSAGE: Removed /tftpboot/default1.chrp.mp.ent. nimol_config MESSAGE: Removed /extra/default1. nimol_config MESSAGE: Removed "LABEL def...
Read more

Configure Solaris 10 LDOM on Solaris 11.4

root@comglv1:~# ldm add-memory 16G htcsun1 root@comglv1: # zfs destroy zones cannot destroy 'zones': operation does not apply to pools use 'zfs destroy -r zones' to destroy all datasets in the pool use 'zpool destroy zones' to destroy the pool itself root@comglv1: # zfs destroy -r zones root@comglv1: # zpool create LDOM mirror c0t5000CCA03C0E89D8d0s0 c0t5000CCA03C2F3BB4d0s0 root@comglv1: # zfs create LDOM/htcsun1 root@comglv1: # zfs create -V 150g LDOM/htcsun1/disk0 root@comglv1: # ldm rm-vdisk vdisk0 htcsun1 root@comglv1: # ldm rm-vdsdev htcsun1-vd0@primary-vds0 root@comglv1: # ldm rm-vdsdev  vol0@primary-vds0 root@comglv1: # ldm rm-vdsdev iso@primary-vds0 root@comglv1: # add-vdsdev options=ro sol-10-u11-ga-sparc-dvd.iso htcsun1-iso@primary-vds0 root@comglv1: # ldm add-vdsdev /dev/zvol/dsk/LDOM/htcsun1/disk0 htcsun1-vd0@primary-vds0 root@comglv1: # ldm add-vdisk vdisk0 htcsun1-vd0@primary-vds0 htcsun1...
Read more

HA in Linux is pretty easy

NOTICE: -- Very important: Please do NOT FAT FINGER. Check your IP address/hostname correct first before configuring PCS. If any service(s) do(es) not startup correctly, please check the service log under /var/log/cluster or /var/log/pcsd. systemctl -xe does not help at all 1> Install PCS  yum isntall pcs -y 2>  Configure PCS. Please run the following commands on ALL nodes: systemctl start pcsd systemctl enable pcsd passwd hacluster 3> Configure PCS, Run he following commands on ONE node: pcs cluster auth <NODE-1> <NODE-2> <...> pcs cluster setup --name <CLUSTER_NAME> <NODE-1> <NODE-2> <...> pcs cluster start --all pcs cluster enable --all pcs resource create virtual_ip ocf:heartbeat:IPaddr2 ip=<IP_ADDR> cidr_netmask=32 op monitor interval=30s pcs resource create <APPLICATION_MON> ocf:heartbeat:nginx configfile=/etc/nginx/nginx.conf op monitor timeout="5s" interval="5s"  ...
Read more