Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Wed Jun 28, 2017 2:18 pm

Firewals, computer, server and network security, kernel and applications security of FreeBSD/Linux/AIX systems.

Author Message
Post  Post subject: Find php scripts that use mail() function to spam in your Linux server  |  Posted: Tue Jan 27, 2015 6:56 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245


Find php scripts that use mail() function to spam in your Linux server

Find php scripts that use mail() function to spam in your Linux server

Every shared web hosting provider runs into this issue at least monthly when a customer experiments with or leaves unattended a php script that is either designed for testing purpopses or designed to serve the contact / feedback page of his website and accepts HTTP GET or POST data as input data for mail function in PHP.
The worst case is when the TO field (destination) of the mail() function is used from user input.

Hardening LAMP server security to help span prevention.

- Hardcode the recipient and other headers like subject and "additional_headers" (4th argument of mail() see PHP function mail manual) whenever possible into the script as in the example provided here.
- If the recipient(s) need to be input by the script visitor, make sure a captcha system "assists" the user or at least a smart token system (hidden html field equal to HTTP POST token sent by the user).
- Make sure your php.ini configuration enables the "X-PHP-Originating-Script" mime header to have the php script name for easy troubleshooting.
- Make sure your php.ini configuration enables logging of every use of the mail() function.
- Make sure you have a cron script that regularly searches php files containing the "mail" keyword and monitor what scripts appear periodically.

Php script using the mail() function - example:
andrei@vpsie# cat mail-script.php
mail           ('', 'Test spam subject','Test spam mail');
The space between "mail" and the bracket is intentional.

Finding php files using mail function:

Below Linux "find" command is just an example of doing relatively accurate search on specific directory ( usually the directory holding web server php scripts), for files with space in their name, ending in ".php" case insensitive and containing the word "mail" (excluding email or _mail) followed by one or multiple spaces and by a bracket opening ["mail(" or "mail ("].
andrei@vpsie# find /var/www/ -iname "*.php" -print0 | xargs -0 grep -lw 'mail\ *('

Before going to php.ini configurations that will help in troubleshooting spam sent from your server, it's best to first go over the PHP runtime configuration page.

Adding mail sending script information in mime header:

Open your server's php.ini configuration file and find the line for "add_x_header" and change it as below:
mail.add_x_header = On

Enable php to log information about each email sent via a php script:

Again, in your php.ini file add/change the following line as below:
mail.log = /var/log/php-mail.log

Next, restart the phpdaemon (or try a kill -HUP <PID>), let's look at the outcome:

Mails sent from the mail-script.php script have the following line in their header:
X-PHP-Originating-Script: 0:mail-script.php

As the manual states, the php log file contains absolute path to the script, recipient and headers (non in my script's case).
mail() on [/var/www/]: To: -- Headers:

Display posts from previous:  Sort by  
E-mail friendPrint view
Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]