My server has been attacked by some guys using fishing and mail() function.

Your tutorial allow me not to secure my server, but to warn victims.

 Sure your tutorial is strongly useful.

1. Login as root, then create script file: /usr/local/bin/logging_sendmail

#!/bin/sh
# Logging sendmail wrapper

SENDMAIL="/usr/sbin/sendmail"
LOGFILE="/var/log/sendmail.log"

DT=`date "+%Y-%m-%d %H:%M:%S"`
DTFN=`date "+%Y%m%d-%H%M%S"`
TMPFP=`tempfile --prefix=lsm_`

cat | tee "$TMPFP" | $SENDMAIL $*
RETVAL=$?

TO=`grep "To:" <"$TMPFP"`
rm -f "$TMPFP"

echo "$DT: $PWD sends e-mail $TO" >>$LOGFILE

exit $RETVAL

2. Make the script executable:

chmod +x /usr/local/bin/logging_sendmail

3. Create /var/log/sendmail.log:

touch /var/log/sendmail.log

chown root:adm  /var/log/sendmail.log

chmod 662  /var/log/sendmail.log

4. Add logrotate configuration as /etc/logrotate.d/logging_sendmail:

/var/log/sendmail.log {
    weekly
    rotate 4
    compress
    delaycompress
    missingok
    create 662 root adm
}

5. Configure the /usr/local/bin/logging_sendmail script instead of phpsendmail as the article describes above (php.ini modifications).

6. Restart Apache as the article describes

You can look at the logfile with the same command, but the filename passed has to be: /var/log/sendmail.log

It works perfectly on our server.

Good luck!

Thanks for this, this is just what I needed!

If you also want to log some of the php environment variables from the request you need to put something like

in /etc/php5/set_php_headers.php. You can choose whatever variables you want. I added the "__" to them to prevent overriding. Now modify php.ini and set: auto_prepend_file = "/etc/php5/set_php_headers.php" This executes the above file for each request. You can use these variables in the /usr/local/bin/phpsendmail script for logging.

Hello,

    Excellent script, I've had to modify this for a couple of my older servers that are still running PHP4 (Plesk does not really enjoy when you update...anything).  And, I could think of nothing better to do than to share this.

Touch /usr/local/bin/phpsendmail

Touch /var/log/php_mail_log

chmod +x /usr/local/bin/phpsendmail

chmod 777 /var/log/php_mail_log

The content of /usr/local/bin/phpsendmail:

#!/usr/bin/php
<?php
$sendmail_bin='/usr/sbin/sendmailauth';
$logfile='/var/log/php_mail_log';

//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');

//Open the log file
$handle = fopen($logfile,"a+");

//Prepare the date
$date = date('m-d-y :: h:i:s A --');

// get email content functionality
while ($line = fgets($pointer)) {
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
                $logline .= trim($line).' ';
        }
        $mail .= $line;
}

//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
        $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}

$content = "$date " . $_ENV["PWD"]  . " $logline " . "\n";
fwrite($handle,$content);
fclose($handle);


//* Execute the command
return shell_exec($command);

?>
 

   Please note the sendmail bin, yours will probably just be /usr/sbin/sendmail and not /usr/sbin/sendmailauth, this is a customized sendmail script for SMTP Authentication.   The reason for this  entry would be PHP4 does not have the ability to use file_put_contents, there are ways to add it to the code, but add a lot more lines of code when fopen and fwrite can do the same thing.  I have also varied the date command a little bit for ease of reading, and added a line break so that everything does not string into one long line, once again for ease of reading. Below is a sample of the output:

 09-11-20 :: 07:01:50 -- /var/www/vhosts/domain/ To: address From: address

   Thank you very much for the original code as it makes my job much easier, and I hope this contribution is well accepted.

    Brooks

     Nexpoint Web Hosting

     http://www.nexpoint.net

As mentioned above; the code is quite insecure.

I've hopefully fixed the problems with it, and include the code below.

thanks

 David.

 <code>

#!/usr/bin/php
<?php

/**
  This script is a sendmail wrapper for php to log calls of the php mail() function.
  Author: Till Brehm, www.ispconfig.org
  (Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk>
*/

$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/tmp/mail_php.log';

//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');

while ($line = fgets($pointer)) {
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
                $logline .= trim($line).' ';
        }
        $mail .= $line;
}

//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
        $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}



//* Write the log
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $_ENV['PWD'] . ' ' . $logline, FILE_APPEND);
//* Execute the command
return shell_exec($command);

</code>

(I've not yet been able to fully test this, so your mileage may vary....)

Instead of trying to bolt the barn door after the horse has bolted it is far better to patch PHP to prevent anyone using it to inject implicit recipients (http://www.lancs.ac.uk/~steveb/patches/php-mail-reject-implicit-recipients-patch/)

 You can also patch mail() to specify in the email which website actually sent the message to make it easier to trace who is actually responsible for any spam -  http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/

 I've used both these patches and they really help a lot.

This script is one huge security hole.  Do not use it!  It invokes shell_exec() and system() on untrusted input without sanitization.

The suggestion in this article is a malicious user's dream! The code contains several deficiencies which will readily grant a user shell access to the server!

Hi Till,

First, thank you very much for sharing your howto document and it definetely seems that it'll make my work easier.

But i think it might need to be made some little corrections about the phpsendmail file. The code doesnt run unless the correction below is made.

Line 36: return shell_exec($cmd); -> return shell_exec($command);

 And;

I get the message below when the system runs the script.

sendmail: fatal: Recipient addresses must be specified on the command line or via the -t option

Line 20: $command = 'echo "'.$mail.'" | '.$sendmail_bin.' ';

But it runs when i change the line above as 

$command = 'echo "'.$mail.'" | '.$sendmail_bin.' -t';

best regards