File: //var/log/spamavoid/logging_sendmail_for_apache2.2
#!/bin/sh
# Logging sendmail wrapper
SENDMAIL="/usr/sbin/sendmail -t -i"
LOGFILE="/var/log/spamavoid/sendmail.log"
SPAM_SENDING_PHP="/var/log/spamavoid/spam_sending_details.log"
2>&1
TMPFP=`mktemp`
cat > $TMPFP
head -n 5 $TMPFP >> $LOGFILE
# Store in DB, so that we can verify it and find out the spam sending script.
fpath=`head -n 5 $TMPFP | grep "X-PHP-Script:" | cut -d ' ' -f2`
echo "File Path is $fpath" >> $LOGFILE
spampath=`head -n 5 $TMPFP | grep "X-PHP-Script:"`
if [ -z $fpath ]; then
echo "X-PHP-Script not found so storing the address" >> $LOGFILE
fpath=`head -n 5 $TMPFP | grep "To:" | cut -d ' ' -f2`
fi
p=`echo $spampath | cut -d" " -f2`
#filename with path
sp_fi="$( cut -d '/' -f 2- <<< "$p" )";
#Domain which is sending the spam
dom1=`echo $p | cut -d"/" -f1`
dom=`echo $dom1 | sed 's/www.//g'`
echo "dom is $dom" >> $LOGFILE
#IP which is invoking the spam file
spamip=`echo ${spampath##* }`
#echo "Spam IP is $spamip" >> $LOGFILE
res=`mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; select cnt from IPcount where IP = '$spamip' limit 0,1"`
cnt=`echo $res | cut -d' ' -f2`
echo "Spam IP : $spamip Count is $cnt ............................................" >> $LOGFILE
if [ -z "$res" ]
then
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; INSERT INTO IPcount (cnt,IP) VALUES(1,'$spamip');"
else
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; update IPcount SET cnt=cnt+1 where IP = '$spamip'" ;
fi
#Remove the Spam sending PHP file, by calling the below
#get the document root
dom=`echo $dom | sed 's/www.//g'`
echo "Dom is $dom" >> $LOGFILE
temp_file=$(mktemp)
curl -s http://hrsupportwhm:8Wk-BuUyT1^1@127.0.0.1:2086/json-api/domainuserdata?domain=$dom | grep -Po '"documentroot":.*?[^\\]"' | cut -d'"' -f4 | sed 's/^"\(.*\)"$/\1/' > $temp_file
cat $temp_file >> $LOGFILE
res=`cat $temp_file | cut -d' ' -f1`
echo "Document root & full path is : $res/$sp_fi" >> $LOGFILE
#sometime we get only "/" as a full path, to avoid any problem. We will not call the insertintodb.sh when we get "/"
if [[ $res/$sp_fi == "/" ]]
then
echo "We have got full path as /, we need analyse it" >> $LOGFILE
else
#Insert into DB.
one=$fpath ;
two=$res/$sp_fi ;
file=`echo $one | sed 's/www.//g'`
tmp_res=`mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; select cnt from spamemailcount where path = '$two' limit 0,1"`
cnt=`echo $tmp_res | cut -d' ' -f2`
echo "File: $two Count is $cnt" >> $LOGFILE
if [ -z "$tmp_res" ]
then
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; INSERT INTO spamemailcount (cnt,path) VALUES(1,'$two');"
exit ;
fi
mysql -uadodisho_spam -pSpam6909 -e "use adodisho_spam; update spamemailcount SET cnt=cnt+1 where path = '$two'" ;
tmp_dom=`echo $file | cut -d/ -f1`
echo "Checking for Exception" >> $LOGFILE
#Check if the file is there in the exception list.
grep $two /var/log/spamavoid/php_email_sending_exception.txt >> $LOGFILE
if [ $? == 0 ]
then
echo "This $two is allowed to send emails, But keep a check on $cnt"
cat $TMPFP | $SENDMAIL $*
RETVAL=$?
echo "Return value of sendmail $?" >> $LOGFILE
exit ;
fi
#sometimes we are not able to find out the exact file, which is sending the spam. We end up with only dir name.
#even if it is dir, and if it is exceeding the count.
if [[ -d $two ]]
then
if [ $cnt -gt 20 ]
then
#If not present in the black list alreayd, add it.
grep $tmp_dom /var/log/spamavoid/email-blacklist.txt
if [ $? != 0 ]
then
echo "$tmp_dom" >> $SPAM_SENDING_PHP
echo "Adding the domain $tmp_dom in the black list with count, This is not a file, It is a dir" >> $LOGFILE
fi
fi
fi
echo "If count greater than 10" >> $LOGFILE
if [ $cnt -gt 10 ]
then
d=`date` ;
#If file exists
if [[ -f $two ]]
then
pat1=1
pat_eval=1
pat2=1
pat3=1
grep -l eval $two | xargs grep base64_decode
pat1=$?
if [ $pat1 -eq 1 ]; then
grep -PHl "(eval *\(.*\))" $two
pat_eval=$?
fi
if [ $pat1 -eq 1 ] && [ $pat_eval -eq 1 ]; then
grep -Z -m 1 eval $two | grep strto | grep isset
pat2=$?
fi
if [ $pat1 -eq 1 ] && [ $pat_eval -eq 1 ] && [ $pat2 -eq 1 ]; then
grep -E -l '(\[[0-9]+\][^\[]*){25,}' $two
pat3=$?
fi
#if anyone of the pattern is matched
if [ $pat1 -eq 0 ] || [ $pat_eval -eq 0 ] || [ $pat2 -eq 0 ] || [ $pat3 -eq 0 ]; then
echo "Pattern pat1 $pat1 pat_eval $pat_eval pat2 $pat2 pat3 $pat3 Matched: Count $cnt" >> $LOGFILE
chmod 0000 $two
echo $two $cnt $d >> $SPAM_SENDING_PHP
exit ;
fi
fi
fi
fi
echo "If count greater than 40" >> $LOGFILE
if [ $cnt -gt 40 ]
then
#If file exists
if [[ -f $two ]]
then
if [[ $two == *"wp-comments-post.php"* ]]
then
sed -i '1s/^/This file is sending lots of spam Emails, May be due to not having captcha or your website is hacked. Please look into this problem\nWe are currently suspending this file. If needed, Please fix this problem correctly. If it sends spam Emails again, this file will be deleted automatically. \nIf you have any issues, Kindly send email to support@hostingraja.in/' $two
echo "Going to change the mode : $two" ;
chmod 0000 $two
elif [[ $two == *"index.php" ]]
then
echo "This is index.php file" ;
grep $tmp_dom /var/log/spamavoid/email-blacklist.txt
if [ $? != 0 ]
then
echo "$tmp_dom" >> /var/log/spamavoid/email-blacklist.txt
echo "BB: Adding the domain $tmp_dom in the black list with count" >> $LOGFILE
fi
else
echo "Changing the mode : $two" ;
chmod 0000 $two
#rm -v $2
d=`date` ;
echo $two $cnt $d >> $SPAM_SENDING_PHP
fi
fi
fi
echo "Directory checking " >> $LOGFILE
# If we are not able to find the correct location and If we end up with directory
if [[ -d $res/$sp_fi ]]
then
sfile=`head -n 5 $TMPFP | grep "X-PHP-Originating-Script:" | cut -d':' -f3 | cut -d'(' -f1`
echo "This is a dir $res/$sp_fi, The file which is sending spam is $sfile" >> $LOGFILE
echo "The result of find command " >> $LOGFILE
if [[ $res/$sp_fi == "/" ]]
then
echo "We have got full path as /, So finding in home dir $HOME " >> $LOGFILE
who=`/usr/bin/whoami` >> $LOGFILE
find_res=`find ~ -name $sfile`
else
find_res=`find $res/$sp_fi -name $sfile`
fi
echo $find_res >> $LOGFILE
evaled_found=0
for tempi in $find_res
do
grep -PHl "(eval *\(.*\))" $tempi >> $LOGFILE
if [ $? -eq 0 ]
then
echo "Need to delete $tempi" >> $LOGFILE
echo $tempi >> /var/log/spam_sending_details.log
rm -fv $tempi >> $LOGFILE
evaled_found=1
else
echo "Not evaled file, doing nothing" >> $LOGFILE
fi
done
if [ $evaled_found -eq 1 ]
then
exit
fi
fi
echo "Checking for blacklist" >> $LOGFILE
while read i
do
grep "X-PHP-Script" $TMPFP | grep $i > /dev/null
if [ $? -eq 0 ]; then
echo "Mail Originating from Spammy Domain $i, Not sending" >> $LOGFILE
head -n 2 $TMPFP >> $LOGFILE
rm -f "$TMPFP"
exit ;
else
continue ;
fi
done < /var/log/spamavoid/email-blacklist.txt
echo "Sending Email now.....File name $TMPFP" >> $LOGFILE
#echo "-----------------------------------------------------------------------" >> $LOGFILE
#head -n 5 $TMPFP >> $LOGFILE
#echo "-----------------------------------------------------------------------" >> $LOGFILE
cat $TMPFP | $SENDMAIL $*
RETVAL=$?
echo "Return value of sendmail $?" >> $LOGFILE
#Uncommend below, If you want to make a copy of the Email
#mv $TMPFP /home/adodisho/email/
#newf=`echo $TMPFP | sed 's/\/tmp\///g'`
#mv /home/adodisho/email/$newf /home/adodisho/email/$newf.eml
#chmod 0644 /home/adodisho/email/$newf.eml
exit 0