Re: [mod-security-users] (no subject)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

M.Saeed Shaikh wrote:
> Hi,
> 
> Someone is spamming from our mail server. Is there any way to create
> sendmail commands log file. So at least I can see who is using
> sendmail command. I think its usie php/FormMail script for send mail.
> However i alreay implement FormMail rule.
> 
> I just want to create log file whenever sendmail command use.

A simple (but blunt) way to do this would be to replace /bin/sendmail (or 
wherever it is) with a small script that logs whatever you want to log from 
the environment and the command input before passing them on to the real 
sendmail.

This may create too much of an overhead on a busy system however.

In mod_security, you could set up a Location directive for the suspect script, 
which it seems you know, and add in some audit logging rules:

<Location /path/to/formail.php>
	SecAuditEngine On
	SecAuditLog path_to_formail_audit_log
</Location>

If you have an idea about how the script is being exploited, add in a filter 
match and set SecAuditEngine to RelevantOnly, otherwise you'll be logging 
every single request. See the Audit Logging section of the manual.

One question arises: If audit logging is already on, is it possible to 
override the existing SecAuditLog directive for specific Locations?

Terry.

> Thanx.
> 