Archive · November 9, 2013
find PHP sending spam on your server logging smtp emails sent through PHP sendmail Ubuntu
Is your webserver under attack and you think it's being generated by a domain sending SPAM using PHP? Here's a solution to log all of the PHP mail() traffic and view it in your browser.
Create a file called "phpsendmail" - I put mine into /usr/sbin/phpsendmail
Here's the code. Make sure your server has "sendmail" at "/usr/sbin/sendmail" - if not, change the sendmail path in the following code.
#!/usr/bin/php
<?php
$sendmail = '/usr/sbin/sendmail';
$logfile = '/var/log/mail_php.log';
/* Get email content */
$logline = '';
$mail = '';
$fp = fopen('php://stdin', 'r');
while ($line = fgets($fp))
{
if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line))
{
$logline .= trim($line).' ';
}
$mail .= $line;
}
/* Build sendmail command */
$cmd = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++)
{
$cmd .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
/* Log line */
$path = isset($_ENV['PWD']) ? $_ENV['PWD'] : $_SERVER['PWD'];
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $logline .' ==> ' .$path."\n", FILE_APPEND);
/* Call sendmail */
return shell_exec($command);
?>
Create the log file as described above and set the correct permissions
touch /var/log/mail_php.log chmod 777 /var/log/mail_php.log chmod 777 /path/to/phpsendmailNow edit the php.ini configuration (/etc/php5/apache2/php.ini in Debian/Ubuntu). Search for [mail function] or SMTP make the following changes:
[mail function] ;COMMENT OUT SMTP = localhost ;SMTP = localhost ;smtp_port = 25 ;******************************************************* ;* ADD THE PATH TO THE phpsendmail script you just made. ;* I used /usr/sbin/phpsendmail ;******************************************************* sendmail_path = /path/to/phpsendmailNow restart apache2
service apache2 restartCreate a mail test php file inside of one of your domains. I created mailsend.php
<?php
// The message
$message = "email from PHP... digital magic";
// Send
mail('youremail@domain.com', 'My Subject', $message);
echo "PHP Email Sent... WOW!";
?>
In your browser, goto http://yourdomain.com/mailsend.php and send the email...
Now, tail your log file.
tail -f /var/log/mail_php.logand you should see something like this
2013-02-03 17:50:57 To: mail1@domain1.com From: mail2@domain2.com ==> /var/www/vhosts/domain1/httpdocs 2013-02-03 17:50:59 To: mail3@domain3.com From: mail4@domain4.com ==> /var/www/vhosts/domain2/httpdocs/librariesI made a PHP logfile viewer so I could view the log inside my web browser and not have to log in via SSH / shell
<?
echo "<pre>";
passthru('tail -10 /var/log/mail_php.log');
echo "</pre>";
?>
Hope this helps you find the domain and script sending spam through PHP on your server.
Thanks and Original Code Here: http://www.matteomattei.com/en/how-to-log-email-sent-from-php-through-mail-function/