Hi,

I have the following two scripts but neither of them work. What I am trying to find out is which domain is having vulnerable php code exploited to send spam.
But ideally I would like to find out whatever domain is sending out mail, the maillog itself shows where mail is going to and coming from but not which script on which domain sent it.

Sometimes I can trace the process and find out an X-mailer in the mail header but not all the time. Just says send by the Apache UID so certainly a website that's doing it.

Here are the scripts for your reference.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~BEGIN~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open(INFO, ">>/var/log/formmail.log")|| die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR){
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
}
else {
print INFO "$date -$PWD - @info\n";
}
my $mailprog='/var/qmail/bin/sendmail.real';
foreach (@ARGV){
$arg="$arg" . "$_" . " " ;
}

print("sendmail arguments:\n");
print("$arg\n");


open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN>){
print MAIL;
}
close (INFO);
close (MAIL);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~END~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


And another one.


#!/bin/sh
(echo X-Additional-Header: $(basename $(dirname $PWD));cat)|tee -a
/var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"



Any help with this would be appreciated, please note that I am not a coder.

Thanks.

You might want to look at the httpd access logs (I think the default location is /var/log/httpd/). For each virtual that I have web site you can create a separate log file, Apache directive (CustomLog logs/dummy-host.example.com-access_log common in the VirtualHost directive). It might then be a case of looking which one has excessive access and from there locate the script in question.