Ecco un bel sistema per trovare se qualche “bravo ragazzo” ha inserito una pagina php (e soprattutto qual’è il file!) nel nostro webserver (ovviamente “bucandolo”) per poter spedire email a mezzo mondo (nel caso specifico dove ho risolto il problema c’è in coda la bellezza di mezzo milione di email!):
Lo cito perché ne vale la pena (è per Qmail, al di là che comunque si citi la piattaforma Plesk) :
Resolution
There is a way to find what the folder the PHP script that sends mail was run from. Note, the paths can be slightly differ from the listed below depending on your OS and Plesk version:
1) create /var/qmail/bin/sendmail-wrapper script with the content:
#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail “$@”
Note, it should be the two lines including ‘#!/bin/sh’.
2) then create log file /var/tmp/mail.send and grant it “a+rw” rights, make the wrapper executable, rename old sendmail and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
3) Wait for an hour or so and revert sendmail back:
~# rm -f /var/qmail/bin/sendmail
~# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Examine /var/tmp/mail.send file, there should be lines starting with “X-Additional-Header:” pointing out to domains’ folders where the scripts which sent the mail are located.
You can see all the folders mail PHP scripts were run from with the following command:
~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e ‘s/HTTPD_VHOSTS_D//’ `
f you see no output from the command above, it means that no mail was sent using PHP mail() function from the Plesk virtual hosts directory.
No Comments Yet - be the First!