Trace source of Suhosin Log Entry

Support/Development for PHP
Post Reply
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Trace source of Suhosin Log Entry

Unread post by chrismcb »

Hi,

I have the Suhosin extension installed for PHP and have received the following alert a few times over the past few days:

Code: Select all

Feb 24 10:16:55 server suhosin[23852]: ALERT - function within blacklist called: popen() (attacker 'xxx.xxx.xxx.xxx', file '/usr/share/psa-pear/Mail/sendmail.php', line 146)
popen() is a disabled function - so it correctly blocks it.

My question is: how do I go about tracing where the function call came from?

I don't believe anything should be using the function and it's making me think something is trying to use it that shouldn't.

The IP address (which i've removed) looks a genuine one (i.e. Not mapping to a Taiwan or other ISP), but searching for things like POP connections from it to try to deduce the VHOST has turned up nothing.


Any ideas?


Thanks
Top
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Trace source of Suhosin Log Entry

Unread post by faris »

It could well be webmail (horde) if you are using Plesk. Webmail won't work without popen using the default configuration.

If it really is webmail then you'll just need to configure it to use smtp instead. There's a nice thread on the forum somewhere about how to do this.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Top
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: Trace source of Suhosin Log Entry

Unread post by chrismcb »

Thanks Faris.

I know it isn't Horde or webmail - as I've removed Horde and replaced Atmail with Roundcube.
Suhosin was installed for this specific reason - allowing the webmails to use specific functions that regular domains can't.

If I recall, I did set Roundcube up to use SMTP with the current logged-in user's details too.



I think it's more like some sort of PHP system that was created a long time ago before I deployed ASL - I just hoped that Suhosin would give the next level of the trace of error.
Top
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Trace source of Suhosin Log Entry

Unread post by faris »

Yeah, I hate these errors that tell you what happened but not what caused it.

I'm guessing you might find something in /var/log/messages/httpd/error_log - not necessarily a suohosin alert, but something from apache/php saying something didn't work.

If it isn't in there, grep all the individual vhost error logs for entries that happened at the same time, or relate or sendmail.php
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Top
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: Trace source of Suhosin Log Entry

Unread post by chrismcb »

Thanks, will keep an eye out for the next one and get grepping!
Top
Post Reply

Return to “PHP Help and Discussion”