how to tell what ran what
nvidican at wmptl.com
Wed Feb 15 13:19:43 PST 2006
Glenn McCalley wrote:
>>>>Glenn McCalley schrieb:
>>>>>Is there a way to find out -which- -process- calls another process?
>>>>Each process is associated with a parent; look at the ppid column:
>>>> ps axo user,pid,ppid,command
>>>Thanks, I stated the question poorly. My fault.
>>>Is historical info available and is it available by file name?
>>>I trying to find out (for example) what (unknown) program ran another
>>>(known) program between 0900 and 1000 yesterday - something like that.
>>>I've got a customer sending our emails that he shouldn't - I don't know
>>>which customer it is. The program that sends the mail is running as a
>>>so it all shows up as user "nobody".
>>>If I can get a list of what programs, path and file name, called
>>>over (say) the last 24 hours, one of them should jump off the page with
>>>unreasonable level of activitiy.
>>The web server logs don't tell you anything in the URL data? A CGI script
>>usually has some parameters which might provide some assistance.
> Thanks Brian, that's already tonights project to run through those logs and
> see if anything jumps out there. What I think he might be doing is either
> POSTing the parameters (which won't show up) or he's loaded a file of email
> addresses and just triggers the mailer with a simple cgi request. Either
> way he's got to be calling sendmail or mail to get it out the door I
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
Another option would be to search CGI directories and grep files for
'sendmail'.. if the CGI script calls sendmail externally and it's written in any
non-compiled binary (usually are) - you should be able to grep 'sendmail' * in
each cgi-enabled dir and find the cuplrit.
I've had this happen quite often with my hosting customers, where they put up a
simple Perl script that pipe's it's output to sendmail, and abusers (not
customers), and someone embeds an email in the 'comments' field or similar by
adding header fields. There are of course numerous ways to get around this.
I find human-readable images are amongst the best way and are very easily
implemented (took me a whole 20mins to write the code to do it generically
accross all system for all hosting customers). (ie:
http://www.wmptl.com/cgi-bin/contact.pl) - other ways include stripping colons
from all fields returned via forms, etc.
Just bear in mind, it may be a customer's script causing spam/etc... but may not
be their intention nor fault either. You'll always do better to approach them
with a solution than a complaint.
nvidican at wmptl.com
Windsor Match Plate & Tool Ltd.
More information about the freebsd-questions