Checking Apache for possible hack
1. Edit php.ini
sendmail_path = /usr/local/bin/phpsendmail
create a filter file wrapper. I saw this one and it is very handy.
/usr/local/bin/phpsendmail
#!/usr/bin/php
<?php
/**
This script is a sendmail wrapper for php to log calls of the php mail() function.
Author: Till Brehm, www.ispconfig.org
(Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk>
*/
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/mail.form';
//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');
while ($line = fgets($pointer)) {
if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
$logline .= trim($line).' ';
}
$mail .= $line;
}
//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
$command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
You will see all logs at /var/log/mail.form
---------------------------------------------------------------------------------------------------------------------------------
grep all post on httpd access log
sendmail_path = /usr/local/bin/phpsendmail
create a filter file wrapper. I saw this one and it is very handy.
/usr/local/bin/phpsendmail
#!/usr/bin/php
<?php
/**
This script is a sendmail wrapper for php to log calls of the php mail() function.
Author: Till Brehm, www.ispconfig.org
(Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk>
*/
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/mail.form';
//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');
while ($line = fgets($pointer)) {
if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
$logline .= trim($line).' ';
}
$mail .= $line;
}
//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
$command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
You will see all logs at /var/log/mail.form
---------------------------------------------------------------------------------------------------------------------------------
grep all post on httpd access log
| 146.1.73.155 | 0 | 0 | [28/Jul/1967:07:33:43 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
| 146.0.75.212 | 0 | 0 | [28/Jul/1967:08:15:42 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
| 214.2.175.16 | 0 | 0 | [28/Jul/1967:08:54:10 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
| 126.11.74.28 | 0 | 0 | [28/Jul/1967:10:17:05 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
| 167.137.209.44 | 0 | 0 | [28/Jul/2013:10:40:27 | -0700] | POST /administrator/index.php HTTP/1.1 | 303 | 0 | http://www.sampledomain.com/administrator/ |
| 213.111.175.11 | 0 | 0 | [28/Jul/1967:11:03:01 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
| 146.0.74.211 | 0 | 0 | [28/Jul/1967:11:44:04 | -0700] | POST /administrator/index.php HTTP/1.1 | 200 | 4309 | http://sampledomain.com/administrator/index.php?option=com_login |
Comments