Catch PHP nobody Spammers

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where. Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.



Step 1)
Login to your server and su – to root.


Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop

Article provided by WebHostGear.com


Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {

print INFO “$date – $PWD –  @infon”;

}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach  (@ARGV) {
$arg=”$arg” . ” $_”;
}

open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory –  nobody x 99 99   Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.

Windows integration notes

Make program default editor for a file type

Shift-right-click on a file of a type; this forces the ‘open with’. Click ‘Choose program’, find it, and select the checkbox that tells windows to always open files of this type.

Change IE ‘view source’ program

Folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\View Source Editor\Editor Name

has a default key that is the path to a program, e.g.

C:\Program Files\Notepad2\Notepad2.exe

Add to context menu for all files

Run regedit. Create the key:

HKEY_CLASSES_ROOT\*\shell\

…if it doesn’t exist. Choose a name that doesn’t exist under it, e.g. Notepad2, and create that as key, and a key under it called ‘command’:

HKEY_CLASSES_ROOT\*\shell\Notepad2
HKEY_CLASSES_ROOT\*\shell\Notepad2\command

Make the default value under the first what you want to appear in the menu and the second what you want it to run, e.g.

“Edit with Notepad2”
and
“C:\Program Files\Notepad2\Notepad2.exe” “%1”

…respectively.

PHP Upgrade issues : Plesk / Redhat 4


PHP Upgrade issues : Plesk / Redhat 4

I was trying to upgrade the PHP version to php5 on a Redhat 4 server with Plesk 8.4 but had many issues, as the redhat mirrors do not have PHP5. PHP5 is available with Redhat 5. I used atomicrocketturtle repository for the installation, here is a guide for the upgrades http://www.atomicorp.com/wiki/index.php/PHP

I then tried the wiki but got errors for up2date

#  up2date php –dry-run
Unresolvable chain of dependencies:
php-domxml-4.3.9-3.22.12 requires php = 4.3.9-3.22.12
php-pear-4.3.9-3.22.12 requires php = 4.3.9-3.22.12
php-sqlite2-1.0.2-200608291859 requires php <= 4.4.0

Later I used yum which too gave me errors for php-pdo and php-xml :

# yum update php
Error: Missing Dependency: php-common = 5.2.5-3.el4.art is needed by package php-pdo

I fixed that error by installing php-pdo

# yum install php-pdo
# yum update php
Error: Missing Dependency: php-common = 5.2.5-3.el4.art is needed by package php-xml
# yum install php-xml

You need to modify the php.ini for the module path, the upgrade will not modify the path to php5

Edit the php.ini to one as below :

; Directory in which the loadable extensions (modules) reside.
;extension_dir = /usr/lib/php4
extension_dir = /usr/lib/php/modules

Now I had previously ioncube installed on the php4 which throwed errors 🙁

# php -v
Failed loading /usr/lib/php4/php_ioncube_loader_lin_4.3.so:
/usr/lib/php4/php_ioncube_loader_lin_4.3.so: undefined symbol: zend_hash_add_or_update

PHP 5.2.6 (cli) (built: May  2 2008 11:18:31)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

I installed ioncube loader for php5 using :

# yum install php-ioncube-loader

Still the error was same, I debugged a  lot and found that there was ioncube_loader config file under php.d

# ls /etc/php.d | grep ioncube
ioncube.ini
ioncube-loader.ini

I removed the file ioncube-loader.ini which was for php4 and fixed the upgrade problems.

#  php -v
PHP 5.2.6 (cli) (built: May  2 2008 11:18:31)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with the ionCube PHP Loader v3.1.32, Copyright (c) 2002-2007, by ionCube Ltd., and
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies


Hope this helps anyone in mess 🙂

DNS Cache Poisoning Test


Q. How do I verify that my ISP or my own recursive resolvers are free from DNS cache poisoning bug that is promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference? How do I test my dns server for DNS cache pollution or DNS Cache Poisoning bug?

A. DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. It occur if DNS “spoofing attack” has been encountered. An attacker will send malicious data / non-secure data in response to a DNS query. For example dns query for www.linuxbabu.net can be redirected to www.redhat.com.

how do I find out if my DNS server is open to such attack or not?

Visit Dan Kaminsky java script page to check your DNS

You can also use following command dig command, enter:
$ dig +short @{name-server-ip} porttest.dns-oarc.net txt
$ dig +short @ns1.example.com porttest.dns-oarc.net txt
$ dig +short @208.67.222.222 porttest.dns-oarc.net txt
Sample output:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"

Another test,
$ dig +short @125.22.47.125 porttest.dns-oarc.net txtOutput:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.139 is POOR: 42 queries in 8.4 seconds from 1 ports with std dev 0.00"


FIX :

Run yum update
yum updateOpen named.conf file and comment out following two lines:
query-source port 53;
query-source-v6 port 53;
Make sure recursion is limited to your LAN only. Set ACL. Restart bind to take effect:
rndc reload 

service named restart


hwclock – query and set the hardware clock

set the system time from the hardware clock

============================================

root@s1 [~]# /sbin/hwclock –hctosys
root@s1 [~]#

set the hardware clock to the current system time

============================================

root@s1 [~]# /sbin/hwclock –systohc
root@s1 [~]#

root@s1 [~]# /sbin/hwclock –help
hwclock – query and set the hardware clock (RTC)

Usage: hwclock [function] [options…]

Functions:
–help        show this help
–show        read hardware clock and print result
–set         set the rtc to the time given with –date
–hctosys     set the system time from the hardware clock
–systohc     set the hardware clock to the current system time
–adjust      adjust the rtc to account for systematic drift since
the clock was last set or adjusted
–getepoch    print out the kernel’s hardware clock epoch value
–setepoch    set the kernel’s hardware clock epoch value to the
value given with –epoch
–version     print out the version of hwclock to stdout

Options:
–utc         the hardware clock is kept in coordinated universal time
–localtime   the hardware clock is kept in local time
–directisa   access the ISA bus directly instead of /dev/rtc
–badyear     ignore rtc’s year because the bios is broken
–date        specifies the time to which to set the hardware clock
–epoch=year  specifies the year which is the beginning of the
hardware clock’s epoch value
–noadjfile   do not access /etc/adjtime. Requires the use of
either –utc or –localtime