File: //var/log/spamavoid/logging_sendmail
#!/bin/sh
# Logging sendmail wrapper
# This script is updated for Apache 2.4 Where X-PHP-Filename gives the correct file name
SENDMAIL="/usr/sbin/sendmail -t -i"
LOGFILE="/var/log/spamavoid/sendmail.log"
SPAM_SENDING_PHP="/var/log/spamavoid/spam_sending_details.log"
2>&1
TMPFP=`mktemp`
cat > $TMPFP
head -n 5 $TMPFP >> $LOGFILE
# Store in DB, so that we can verify it and find out the spam sending script.
fpath=`head -n 5 $TMPFP | grep "X-PHP-Filename:" | cut -d ':' -f2 | sed 's/ REMOTE_ADDR//g' | sed 's/^ *//g' | sed 's/ *$//g'`
echo "File path is $fpath" >> $LOGFILE
echo "Modified 1" >> $LOGFILE
spampath=`head -n 5 $TMPFP | grep "X-PHP-Script:"`
if [ -z $fpath ]; then
echo "X-PHP-Filename not found so storing the address" >> $LOGFILE
fpath=`head -n 5 $TMPFP | grep "To:" | cut -d ' ' -f2`
fi
p=`echo $spampath | cut -d" " -f2`
#filename with path
sp_fi="$( cut -d '/' -f 2- <<< "$p" )";
#Domain which is sending the spam
dom1=`echo $p | cut -d"/" -f1`
dom=`echo $dom1 | sed 's/www.//g'`
NOW=$(date +"%Y%m%d%H%M%S")
UNIQUEID=`echo $NOW$dom`
echo "$UNIQUEID => DOM is $dom" >> $LOGFILE
#IP which is invoking the spam file
spamip=`echo ${spampath##* }`
echo "$UNIQUEID => Spam IP is $spamip" >> $LOGFILE
# Update the IP count details
res=`mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; select cnt from IPcount where IP = '$spamip' limit 0,1"`
cnt=`echo $res | cut -d' ' -f2`
echo "$UNIQUEID => Spam IP : $spamip Count is $cnt ............................................" >> $LOGFILE
if [ -z "$res" ]
then
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; INSERT INTO IPcount (cnt,IP) VALUES(1,'$spamip');"
else
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; update IPcount SET cnt=cnt+1 where IP = '$spamip'" ;
fi
echo "$UNIQUEID => Full path is : $fpath" >> $LOGFILE
#Insert into DB.
two=$fpath ;
tmp_res=`mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; select cnt from spamemailcount where path = '$two' limit 0,1"`
cnt=`echo $tmp_res | cut -d' ' -f2`
echo "$UNIQUEID => File: $two Count is $cnt" >> $LOGFILE
if [ -z "$tmp_res" ]
then
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; INSERT INTO spamemailcount (cnt,path) VALUES(1,'$two');"
#exit ;
fi
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; update spamemailcount SET cnt=cnt+1 where path = '$two'" ;
tmp_dom=$dom ;
head -n 7 $TMPFP | grep "eval()'d code"
if [ $? == 0 ]
then
if [[ -f $fpath ]]
then
chmod 0000 $fpath
echo "$UNIQUEID => evaled code, not proceeding. chmod to 000 $fpath" >> $LOGFILE
exit
fi
fi
#Check if the file is there in the exception list.
grep $two /var/log/spamavoid/php_email_sending_exception.txt >> $LOGFILE
if [ $? == 0 ]
then
echo "This $two is allowed to send emails, But keep a check on $cnt"
cat $TMPFP | $SENDMAIL $*
RETVAL=$?
echo "$UNIQUEID => Return value of sendmail $?" >> $LOGFILE
exit ;
fi
if [ $cnt -gt 10 ]
then
d=`date` ;
#If file exists
if [[ -f $two ]]
then
pat1=1
pat_eval=1
pat2=1
pat3=1
grep -l eval $two | xargs grep base64_decode
pat1=$?
if [ $pat1 -eq 1 ]; then
grep -PHl "(eval *\(.*\))" $two
pat_eval=$?
fi
if [ $pat1 -eq 1 ] && [ $pat_eval -eq 1 ]; then
grep -Z -m 1 eval $two | grep strto | grep isset
pat2=$?
fi
if [ $pat1 -eq 1 ] && [ $pat_eval -eq 1 ] && [ $pat2 -eq 1 ]; then
grep -E -l '(\[[0-9]+\][^\[]*){25,}' $two
pat3=$?
fi
#if anyone of the pattern is matched
if [ $pat1 -eq 0 ] || [ $pat_eval -eq 0 ] || [ $pat2 -eq 0 ] || [ $pat3 -eq 0 ]; then
echo "$UNIQUEID => Pattern pat1 $pat1 pat_eval $pat_eval pat2 $pat2 pat3 $pat3 Matched: Count $cnt" >> $LOGFILE
chmod 0000 $two
echo $two $cnt $d >> $SPAM_SENDING_PHP
exit ;
fi
fi
fi
if [ $cnt -gt 40 ]
then
#If file exists
if [[ -f "$two" ]]
then
if [[ "$two" == *"wp-comments-post.php"* ]]
then
sed -i '1s/^/This file is sending lots of spam Emails, May be due to not having captcha or your website is hacked. Please look into this problem\nWe are currently suspending this file. If needed, Please fix this problem correctly. If it sends spam Emails again, this file will be deleted automatically. \nIf you have any issues, Kindly send email to support@hostingraja.in/' $two
echo "Going to change the mode : $two" ;
chmod 0000 $two
elif [[ $two == *"index.php" ]]
then
echo "This is index.php file" ;
grep $tmp_dom /var/log/spamavoid/email-blacklist.txt
if [ $? != 0 ]
then
echo "$tmp_dom" >> /var/log/spamavoid/email-blacklist.txt
echo "Adding the domain $tmp_dom in the black list with count"
fi
else
echo "Changing the mode : $two" ;
chmod 0000 "$two"
#rm -v $2
d=`date` ;
echo $two $cnt $d >> $SPAM_SENDING_PHP
fi
else
echo "$UNIQUEID => Mail not sending OR Mail Originating from Spam, this is not a proper file for sending mail $two" >> $LOGFILE
grep "X-PHP-Script" $TMPFP | grep $i > /dev/null
head -n 2 $TMPFP >> $LOGFILE
rm -f "$TMPFP"
exit ;
fi
fi
while read i
do
grep "X-PHP-Script" $TMPFP | grep $i > /dev/null
if [ $? -eq 0 ]; then
echo "$UNIQUEID => Mail Originating from Spammy Domain $i, Not sending" >> $LOGFILE
head -n 2 $TMPFP >> $LOGFILE
rm -f "$TMPFP"
exit ;
else
continue ;
fi
done < /var/log/spamavoid/email-blacklist.txt
echo "$UNIQUEID => Sending Email now.....File name $TMPFP" >> $LOGFILE
#echo "-----------------------------------------------------------------------" >> $LOGFILE
#head -n 5 $TMPFP >> $LOGFILE
#echo "-----------------------------------------------------------------------" >> $LOGFILE
cat $TMPFP | $SENDMAIL $*
RETVAL=$?
echo "$UNIQUEID => Return value of sendmail $?" >> $LOGFILE
#Uncommend below, If you want to make a copy of the Email
#mv $TMPFP /home/adodisho/email/
#newf=`echo $TMPFP | sed 's/\/tmp\///g'`
#mv /home/adodisho/email/$newf /home/adodisho/email/$newf.eml
#chmod 0644 /home/adodisho/email/$newf.eml
exit 0