Exim: Too many processes

**phpcoder1** · 12-20-2005 08:08 PM

I got a call from my datacenter and they told me that my VPS was unplugged for a few hours due to too many processes. When I told them to plug it back in, one hour later, I saw my server load shoot to 50.00. I did ps -ax:

Originally Posted by Had to skim down due to too large of a quote

8203 pts/1 S 0:00 -bash
5818 ? S 0:00 CROND
5820 ? Z 0:00 [cpanel <defunct>]
5831 ? S 0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem root
6197 ? SN 3:42 cpanellogd - setting up logs for habbolin
6265 ? S 0:00 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stun
...
6283 ? S 0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/b
6300 ? S 0:01 cppop - accepting on port 110
32207 ? S 0:00 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stun
20764 ? SN 0:00 cpanellogd - http logs for habbolin
20767 ? SN 0:00 /usr/local/cpanel/bin/logrunner 4.0 /usr/local/cpanel
20867 ? TN 0:00 /usr/local/cpanel/3rdparty/bin/english/webalizer -N 1
22872 ? S 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql
...
27006 ? S 0:02 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql
19304 ? S 0:00 pure-ftpd (IDLE)
24102 ? S 0:00 /usr/bin/perl /usr/local/cpanel/bin/leechprotect
24103 ? S 0:08 /usr/local/apache/bin/httpd -DSSL
24104 ? S 0:32 /usr/local/apache/bin/httpd -DSSL
24105 ? S 0:03 /usr/local/apache/bin/httpd -DSSL
...
24136 ? S 0:08 /usr/local/apache/bin/httpd -DSSL
30643 ? S 0:00 pure-ftpd (IDLE)
17552 ? S 0:00 /usr/sbin/exim -Mc 1EotGV-0004Z2-7A
17562 ? S 0:00 /usr/sbin/exim -Mc 1EotGW-0004ZF-1V
17564 ? S 0:00 /usr/sbin/exim -Mc 1EotGV-0004Z2-7A
17568 ? S 0:00 /usr/sbin/exim -Mc 1EotGW-0004ZF-1V
17601 ? S 0:00 /usr/sbin/exim -Mc 1EotGW-0004ZL-V8
...
17630 ? S 0:00 /usr/sbin/exim -Mc 1EotGX-0004a3-Uu
17631 ? S 0:00 /usr/sbin/exim -Mc 1EotGX-0004a3-Uu
17633 ? S 0:00 /usr/sbin/exim -Mc 1EotGY-0004aD-Vb
17634 ? S 0:00 /usr/sbin/exim -Mc 1EotGY-0004a7-NT
17643 ? S 0:00 /usr/sbin/exim -Mc 1EotGZ-0004aH-LA
17644 ? S 0:00 /usr/sbin/exim -Mc 1EotGb-0004aS-NV
17646 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ab-0J
17648 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ad-7F
17652 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ag-HQ
17654 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ab-0J
17655 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ab-0J
17658 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004aj-SM
17664 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ag-HQ
17665 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ag-HQ
17666 ? S 0:00 /usr/sbin/exim -Mc 1EotGd-0004ap-8x
17668 ? S 0:00 /usr/sbin/exim -Mc 1EotGd-0004ax-Io
17670 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004aj-SM
17671 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004aj-SM
...
17683 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ad-7F
17684 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004az-43
17685 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004az-43
17686 ? S 0:00 /usr/sbin/exim -Mc 1EotGc-0004ad-7F
17688 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004bC-VB
17689 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004b3-FX
17691 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004b3-FX
17692 ? S 0:00 /usr/sbin/exim -Mc 1EotGf-0004bK-Aq
17695 ? S 0:00 /usr/sbin/exim -Mc 1EotGe-0004bC-VB
17696 ? S 0:00 /usr/sbin/exim -Mc 1EotGf-0004bN-Ma
...
17738 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004bw-4j
17739 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004bw-4j
17741 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004c3-OR
17743 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004cA-Ub
17744 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004c0-Fe
17748 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004c3-OR
17749 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004c3-OR
17750 ? S 0:00 /usr/sbin/exim -Mc 1EotGh-0004cF-Ft
17752 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004cA-Ub
17753 ? S 0:00 /usr/sbin/exim -Mc 1EotGg-0004cA-Ub
17755 ? S 0:00 /usr/sbin/exim -Mc 1EotGh-0004c5-35
17756 ? S 0:00 /usr/sbin/exim -Mc 1EotGh-0004c5-35
17757 ? S 0:00 /usr/sbin/exim -Mc 1EotGh-0004cJ-OO
...
17782 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cl-2B
17789 ? S 0:00 /usr/sbin/exim -Mc 1EotGj-0004ch-MK
17790 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cp-Qd
17824 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cr-RA
17828 ? S 0:00 /usr/sbin/exim -Mc 1EotGl-0004dX-NE
17831 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cp-Qd
17832 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cp-Qd
17833 ? S 0:00 /usr/sbin/exim -Mc 1EotGm-0004dZ-Rp
17839 ? S 0:00 /usr/sbin/exim -Mc 1EotGl-0004dX-NE
17840 ? S 0:00 /usr/sbin/exim -Mc 1EotGl-0004dX-NE
17841 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cl-2B
17842 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cl-2B
17843 ? S 0:00 /usr/sbin/exim -Mc 1EotGn-0004di-Re
17844 ? S 0:00 /usr/sbin/exim -Mc 1EotGk-0004cr-RA
17847 ? S 0:00 /usr/sbin/exim -Mc 1EotGo-0004dq-Fw
17852 ? S 0:00 /usr/sbin/exim -Mc 1EotGo-0004dq-Fw
17855 ? S 0:00 /usr/sbin/exim -Mc 1EotGo-0004dq-Fw
17856 ? S 0:00 /usr/sbin/exim -Mc 1EotGn-0004di-Re
17857 ? S 0:00 /usr/sbin/exim -Mc 1EotGn-0004di-Re
17860 ? S 0:00 /usr/sbin/exim -Mc 1EotGm-0004dZ-Rp
17868 ? S 0:00 /usr/sbin/exim -Mc 1EotGm-0004dZ-Rp
17931 ? S 0:00 CROND
17932 ? S 0:00 CROND
18503 ? S 0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem root
18838 ? S 0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem root
18900 ? S 0:02 /usr/sbin/exim -odi -Mc 1EotGt-0004oR-8T
18980 ? S 0:00 /usr/sbin/exim -Mc 1EotGt-0004lq-8h
19003 ? S 0:02 /usr/sbin/exim -odi -Mc 1EotH1-0004tq-06
19044 ? S 0:00 /usr/sbin/exim -Mc 1EotH3-0004wC-RL
19058 ? S 0:00 /usr/sbin/exim -Mc 1EotH5-0004xI-By
19168 ? S 0:00 /usr/sbin/exim -Mc 1EotH6-0004xU-6z
19245 ? S 0:00 /usr/sbin/exim -Mc 1EotH7-00050A-Jc
19258 ? S 0:00 /usr/sbin/exim -Mc 1EotH8-00050Q-I6
19262 ? S 0:00 /usr/sbin/exim -Mc 1EotH3-0004wC-RL
19263 ? S 0:00 /usr/sbin/exim -Mc 1EotH3-0004wC-RL
19289 ? S 0:00 /usr/sbin/exim -Mc 1EotGt-0004lq-8h
19290 ? S 0:00 /usr/sbin/exim -Mc 1EotH9-00050z-TH
19291 ? R 0:01 /usr/sbin/exim -Mc 1EotGt-0004lq-8h
...
19507 ? S 0:00 /usr/sbin/exim -Mc 1EotH9-00050z-TH
19557 ? S 0:00 /usr/sbin/exim -Mc 1EotH9-00050z-TH
19559 ? S 0:00 /usr/sbin/exim -Mc 1EotH8-00050Q-I6
19573 ? S 0:00 /usr/sbin/exim -Mc 1EotHD-00054T-EM
...
19769 ? S 0:00 /usr/sbin/exim -Mc 1EotHI-000571-De
19770 ? S 0:00 /usr/sbin/exim -Mc 1EotHI-000571-De
19771 ? S 0:00 /usr/sbin/exim -Mc 1EotHG-00056g-Mg
19772 ? S 0:00 /usr/sbin/exim -Mc 1EotHG-00056g-Mg
19774 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058q-56
19776 ? S 0:00 /usr/local/apache/bin/httpd -DSSL
19777 ? S 0:00 /usr/sbin/exim -Mc 1EotHJ-00057w-5y
19778 ? S 0:00 /usr/sbin/exim -Mc 1EotHJ-00057w-5y
19779 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058x-Rd
19782 ? S 0:00 /usr/sbin/exim -Mc 1EotHN-000592-Mh
19785 ? S 0:00 /usr/local/apache/bin/httpd -DSSL
19786 ? S 0:00 /usr/sbin/exim -Mc 1EotHO-000596-OK
19789 ? S 0:00 /usr/sbin/exim -Mc 1EotHP-000599-Dg
19791 ? S 0:00 /usr/sbin/exim -Mc 1EotHN-000592-Mh
19792 ? S 0:00 /usr/sbin/exim -Mc 1EotHN-000592-Mh
19793 ? S 0:00 /usr/sbin/exim -Mc 1EotHK-00058b-DZ
19794 ? S 0:00 /usr/sbin/exim -Mc 1EotHK-00058b-DZ
19795 ? S 0:00 /usr/sbin/exim -Mc 1EotHL-00058l-F1
19796 ? S 0:00 /usr/sbin/exim -Mc 1EotHL-00058l-F1
...
19808 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058q-56
19809 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058q-56
19811 ? S 0:00 /usr/sbin/exim -Mc 1EotHQ-00059C-O8
19812 ? S 0:00 /usr/sbin/exim -Mc 1EotHQ-00059C-O8
19813 ? S 0:00 /usr/sbin/exim -Mc 1EotHO-000596-OK
19814 ? S 0:00 /usr/sbin/exim -Mc 1EotHO-000596-OK
19815 ? S 0:00 /usr/sbin/exim -Mc 1EotHP-000599-Dg
19816 ? R 0:00 /usr/sbin/exim -Mc 1EotHT-00059T-ES
19817 pts/1 R 0:00 ps -ax
19822 ? R 0:00 /usr/sbin/exim -odi -t -oem -oi -f <> -E1EotH1-0004tq
19823 ? S 0:00 /usr/sbin/exim -Mc 1EotHP-000599-Dg
19824 ? R 0:00 /usr/sbin/exim -Mc 1EotHU-00059e-1q
19827 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058x-Rd
19828 ? S 0:00 /usr/sbin/exim -Mc 1EotHM-00058x-Rd
19829 ? S 0:00 /usr/sbin/exim -Mc 1EotHS-00059N-3x
19830 ? S 0:00 /usr/sbin/exim -Mc 1EotHS-00059N-3x
19831 ? R 0:00 /usr/sbin/sendmail -t -i
19832 ? R 0:00 sh -c /usr/sbin/sendmail -t -i
19833 ? R 0:00 /usr/sbin/exim -Mc 1EotHT-00059T-ES
19834 ? S 0:00 /usr/sbin/exim -Mc 1EotHR-00059K-Cu
19835 ? R 0:00 /usr/sbin/exim -Mc 1EotHR-00059K-Cu

It is a VPS, so I don't think APF and BFD won't work here. Can anybody help?

**Manuel_accu** · 12-20-2005 10:11 PM

It seems that some user is spamming from your server...! for quick action clear the exim mail queue.

**phpcoder1** · 12-21-2005 03:43 PM

Can you tell me how?

**aby** · 12-21-2005 03:50 PM

'rm -rf /var/spool/exim/input' will do it

But you should investigate more and find the source script or domain and take actions so as to
really help you out of this issue.

**Manuel_accu** · 12-21-2005 07:52 PM

Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.

# exim -bpr | exiqsumm -c | head

Then,

#exiqgrep -ir <domain> | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.

**phpcoder1** · 12-22-2005 08:17 PM

Originally Posted by aby

'rm -rf /var/spool/exim/input' will do it

But you should investigate more and find the source script or domain and take actions so as to
really help you out of this issue.

How would I find out?

**aby** · 12-22-2005 08:34 PM

Originally Posted by phpcoder1

How would I find out?

I didn't get you ? But one thing .. removing the mailque as i specified is not generally advisable otherwise in case of the extreme.. you need to act really fast... since it may cause many genuine mails to be lost. But I repeat what i have suggested you in the previous post..
you shouls investigate more and find the root cause or get somebody who can help you

This thread should give you some idea abt the mail queue.

http://forums.cpanel.net/showthread.php?t=30820
http://forums.cpanel.net/showthread.php?t=41071

**lloyd_tennison** · 12-22-2005 09:00 PM

First emergency thing to do is to limit the amount of mail that can be sent per hour. Then start looking at everything else.

**IPSecureNetwork** · 12-23-2005 05:33 AM

i`ve the same problem exactly the same and i found some script php making spamm relaying from my server..
just restrict the permission of the nobodys user and inhabilitate to send mails even whit users whit suexec permissions..

in WHM / Tweak Security

check this box

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

**dev_cw** · 12-23-2005 09:48 AM

Originally Posted by west-domains

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Just so I am clear - this option will prevent 'nobody' from sendin to remote addresses but 'nobody' will still be able to send to local addresses. Am I correct?

If so this sounds like a good thing to have activated.

LinkBack

Thread Tools

Exim: Too many processes

Exim too many processes

Too much Exim Processes.

Too much Exim Processes.

Exim processes hung

Exim Processes Spawned