How-To: Find PHP Nobody Spammers. (Cpanel)

Script/Code Credit - MattF @ WebHostingTalk.com
http://www.webhostingtalk.com/member.php?s=&action=getinfo&userid=979


A big problem today is the abundance of Spammers listing as "Nobody". The script below which was a previously written script modified by MattF(http://www.webhostingtalk.com/membe...info&userid=979). This tutorial will outline how to properly set it up on Cpanel based systems.

root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real
// backup your existing sendmail in the event of an error.

root@yourserver [~]# pico /usr/sbin/sendmail
// Open this badboy up, now paste the code below into it.
Code:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);


Now save the work above...

root@yourserver [~]# chmod +x /usr/sbin/sendmail
// make sendmail executable

root@yourserver [~]# echo > /var/log/formmail.log

root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)

root@yourserver [~]# pico /var/log/formmail.log
// above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam. In the past without this script it would list them as "Nobody". With the script in place it lists the user and where the mail is being setn from.

--------------------------------------------------------------------------

As always it's a good idea to routinely check who and how many perl processes are running as this is also another large gateway for outgoing spam.

root@yourserver [~]# ps aux | grep perl
// if you see a user with one to many perl processes running, and nothing much going on at his site, in most cases that i've seen this is the source of spam.

  • Email, SSL
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Securing CPanel

Problem: Running a WHM like Cpanel can sure make hosting easy, but unfortunately running a WHM...

Cpanel WHM - Frequently Asked Questions

Problem: Various questions and answers about common Cpanel WHM problems.   Solution:...

Installing cPanel and Fantastico

Installing Cpanel and Fantastico. cPanel cPanel Installation Instructions:   cPanel...