Date: Wed, 15 Feb 2006 16:21:27 -0500 From: Nathan Vidican <nvidican@wmptl.com> To: Glenn McCalley <techlist@bnetmd.net> Cc: questions@freebsd.org Subject: Re: how to tell what ran what Message-ID: <43F39B57.3000405@wmptl.com> In-Reply-To: <002d01c63274$639f0980$6601a8c0@bnetmd.net> References: <005701c63241$dbb3e220$6601a8c0@bnetmd.net> <43F3531E.8080205@cs.tu-berlin.de> <002601c6326e$da0fd5a0$6601a8c0@bnetmd.net> <46981.4.17.250.5.1140036274.squirrel@webmail.psys.org> <002d01c63274$639f0980$6601a8c0@bnetmd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Glenn McCalley wrote: >>> >>>>Glenn McCalley schrieb: >>>> >>>> >>>>>Is there a way to find out -which- -process- calls another process? >>>> >>>>Each process is associated with a parent; look at the ppid column: >>>> >>>> ps axo user,pid,ppid,command >>>> >>>>Björn >>>> >>>> >>> >>>Thanks, I stated the question poorly. My fault. >>>Is historical info available and is it available by file name? >>> >>>I trying to find out (for example) what (unknown) program ran another >>>(known) program between 0900 and 1000 yesterday - something like that. >>> >>>I've got a customer sending our emails that he shouldn't - I don't know >>>which customer it is. The program that sends the mail is running as a > > cgi > >>>so it all shows up as user "nobody". >>> >>>If I can get a list of what programs, path and file name, called > > sendmail > >>>over (say) the last 24 hours, one of them should jump off the page with > > an > >>>unreasonable level of activitiy. >>> >> >>The web server logs don't tell you anything in the URL data? A CGI script >>usually has some parameters which might provide some assistance. >> >>brian >> >> >>-- >>Brian Sobolak >>http://www.planetshwoop.com/ >> >> > > Thanks Brian, that's already tonights project to run through those logs and > see if anything jumps out there. What I think he might be doing is either > POSTing the parameters (which won't show up) or he's loaded a file of email > addresses and just triggers the mailer with a simple cgi request. Either > way he's got to be calling sendmail or mail to get it out the door I > believe. > Thanks! > Glenn. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > Another option would be to search CGI directories and grep files for 'sendmail'.. if the CGI script calls sendmail externally and it's written in any non-compiled binary (usually are) - you should be able to grep 'sendmail' * in each cgi-enabled dir and find the cuplrit. I've had this happen quite often with my hosting customers, where they put up a simple Perl script that pipe's it's output to sendmail, and abusers (not customers), and someone embeds an email in the 'comments' field or similar by adding header fields. There are of course numerous ways to get around this. I find human-readable images are amongst the best way and are very easily implemented (took me a whole 20mins to write the code to do it generically accross all system for all hosting customers). (ie: http://www.wmptl.com/cgi-bin/contact.pl) - other ways include stripping colons from all fields returned via forms, etc. Just bear in mind, it may be a customer's script causing spam/etc... but may not be their intention nor fault either. You'll always do better to approach them with a solution than a complaint. -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F39B57.3000405>