Nobody Prevention Script

A big problem today is the abundance of Spammers listing as "Nobody".

This tutorial will outline how to properly set it up on Cpanel based systems.

root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real
// backup your existing sendmail in the event of an error.

root@yourserver [~]# pico /usr/sbin/sendmail
// Open this badboy up, now paste the code below into it.

Code:

#!/usr/local/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 }
 else {

        print INFO "$date - $PWD -  @info\n";

 }
 my $mailprog = '/usr/sbin/sendmail.real';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
 while ( ) {
         print MAIL;
 }
 close (INFO);
close (MAIL);

Now save the work above...

root@yourserver [~]# chmod +x /usr/sbin/sendmail
// make sendmail executable

root@yourserver [~]# echo > /var/log/formmail.log

root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)

root@yourserver [~]# pico /var/log/formmail.log
// above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam. In the past without this script it would list them as "Nobody". With the script in place it lists the user and where the mail is being setn from.
--------------------------------------------------------------------------
As always it's a good idea to routinely check who and how many perl processes are running as this is also another large gateway for outgoing spam.

root@yourserver [~]# ps aux | grep perl
// if you see a user with one to many perl processes running, and nothing much going on at his site, in most cases that i've seen this is the source of spam.
__________________

I am not able to use WGET ?

cp /usr/bin/wget /usr/bin/mywget

chmod 751 /usr/bin/mywget

How to remove the blocked ip using iptables

1. First check that ip is blocked or not
2. iptables –L –n | grep

DROP all -- 125.99.10.123 216.240.157.91

3. to unblock the ip give the command

iptables -D INPUT -s 125.99.10.123 -d 216.240.157.91 -j DROP

Now the ip is unblocked.

- How to block the IP using iptables

=>

/sbin/iptables -A INPUT -s 81.91.64.167 -j DROP

Awstats just disappeared from the cpanel

1. Login to the WHM of the server for that domain.
2. Go to Server configuration->Tweak setting
3. Just click on the “Awstats stats” option in Stats program.
4. It will take 1-2 hours to reflect the changes.

Now login to the cpanel of the user and you can see the awstats option in Web FTP/stats.

How to make empty file?

echo –n >filename

OR

cat > filename (then press Ctl+d. The file will be be empty)

How directly run webstat through IE ( i.e domainname.com/webstat)

cd /home/username/public_html

ln -s ../tmp/webalizer webstat

cd ..

chmod 755 tmp

cd tmp

chmod 755 webalizer

Client only wants horde to work for the mail and not neomail or roundcube or squirrelmail. The soution is as follows:

1)create subdomain name

2)add these in .htaccess

RewriteEngine on

RewriteCond %{HTTP_HOST} ^email.cedenar.com.co$ [OR]

RewriteCond %{HTTP_HOST} ^www.email.cedenar.com.co$

RewriteRule ^(.*)$ http://email.cedenar.com.co:2095/horde/login.php [R=301,L]

3)create a test email account and check it.