A suspicious log

[gerald]

Hi there!
I had been getting alot of complaints about spam coming from my servers, so I edited the sendmail executable to provide some extra logging which will tell me what program is calling the sendmail program and what user it is running as, and in wading through that log I have found something suspicious that I havent seen before. Maybe somebody has seen this and can tell me what it is.

Here is the log entry:

thisuser - sh -c (/usr/sbin/sendmail -oi oem &quot;this@email.com&quot; </tmp/xmt.XKI46M;/bin/


note that I changed the username and email address in that line to protect the potentially innocent :-D

If I create a file called /tmp/xmt.XKI46M and then try to run that command, it will not execute telling me that /bin/ is a directory. And nothing shows up in my log file as I believe it never really executes the sendmail program.

The fact that this line made it into my log file means that the command completed successfully somehow.

Im not really sure what this command is supposed to do. I would imagine that it is attempting to send the contents of the bin directory as an attachment to that email address.

Anybody see this before?

Thanks in advance,
Gerald

[sig][/sig]

 

[AndyBo]

Could you create a rule for sendmail.cf that would send a copy of any mail sent out to &quot;this@email.com&quot; to an administrator address?

Or, maybe simpler, move /usr/sbin/sendmail to /usr/sbin/sendmail.exe. Create a shell script along the following lines that will replace &quot;/usr/sbin/sendmail&quot;:
[tt]
#!/bin/sh

# Notice &quot;@&quot; is escaped to prevent any problems with the shell
if [ &quot;X$3&quot; = &quot;Xthis\@email.com&quot; ]
then
/usr/sbin/sendmail.exe -oi oem &quot;admin@my.domain.com&quot; $4 $5 $6 $7 $8 $9
else
/usr/sbin/sendmail.exe $*
fi
[/tt]
This should run sendmail.exe transparently for all users, but send a copy of &quot;dodgy&quot; emails to the admin address.

WARNING: I've not been able to test the above script, so you will probably want to.

Hope it helps. [sig]<p> Andy Bold<br><a href=mailto: > </a><br><a href= > </a><br>"I've probably made most of the mistakes already, so hopefully you won't have to..." Me, most days.[/sig]

 

[gerald]

I should have mentioned that I am not using the real sendmail distribution, but I am using qmail. qmail creates its own version of the sendmail executable that will act the same to the person using it.

But I actually came up with the same idea, so I modified the source of sendmail.c again to read a text file that contains a list of email addresses, and when somebody uses sendmail to send an email to one of those email addresses it will also send a copy to me.

However, I have not seen that line in my log files since then. I also modified my log file to read all the way up the process tree so that if they are calling that command from yet another command I can find out where it all started and everything in between.

Oh well. If a line like that pops up again I will post back to share the results of my investigation.

Thanks for your input
Regards,
Gerald
[sig][/sig]