id mailnull causing LOTS of issues

[niccell]

Hello!

First Post so please be gentle...

The user mailnull is causing a LOT of issues. I'm wondering if I'm not the subject of an attack.

There will be up to 15 'mailnulls' at a time, many with a CPU of '0' and several with CPU of over 5.

Lots of 'NOBODY' HTTP connections also. Also with varying CPUS

A few days ago I paid somebody to clean my server as it had another issue, so I know that the server has not been 'hacked' or exploited. This guy did a GREAT JOB! I would recommend him to anybody!

Here is what I've done:

1) Tried this:

ls -al /proc/xxxx

Which in this case shows:

-r--r--r-- 1 root root 0 Jun 2 19:30 cmdline
-r--r--r-- 1 root root 0 Jun 2 19:30 cpu
lrwxrwxrwx 1 root root 0 Jun 2 19:30 cwd -> /var/spool/exim/
-r-------- 1 root root 0 Jun 2 19:30 environ
lrwxrwxrwx 1 root root 0 Jun 2 19:30 exe -> /usr/sbin/exim*
dr-x------ 2 root root 0 Jun 2 19:30 fd/
-r--r--r-- 1 root root 0 Jun 2 19:30 maps
-rw------- 1 root root 0 Jun 2 19:30 mem
-r--r--r-- 1 root root 0 Jun 2 19:30 mounts
lrwxrwxrwx 1 root root 0 Jun 2 19:30 root -> //
-r--r--r-- 1 root root 0 Jun 2 19:30 stat
-r--r--r-- 1 root root 0 Jun 2 19:30 statm
-r--r--r-- 1 root root 0 Jun 2 19:30 status

Then:

cat /proc/xxxx/environ

To try to find the user. The user is my server.

The mail cue is clean.

BFD, APF, Chroot, and Mod Security is enabled and running normally.

Extended logging is on and it shows failed emails from a variety of different IP addresses. I assume this is the 'bounce' from an invalid address from a spoof.

I have looked like crazy on CPANEL FORUMS and GOOGLE to see what I can do.

CPU hovers at about .5 when mailnull is behaving. 1.5-2.5 when it is not.

I'm a little bit better than a 'newbie' at this. I've been doing WHM/CPANEL for about a year or so, and have lived on these forums (but never posted).

Anyway, here are my questions if anybody will be so kind as to reply:

1) Is mailnull the administrative mail account (auto send and such?) I havn't found a difinitive answer...

2) Is there an answer to what is going on with this server?

Any answers are definately appreciated.

[mohit]

hi,
i think you could have a spammer on the box, who might be using mailman to send bulk mails, just a idea you better check whats the size of maillling list run by your user's account.

a huge quantity of Nobody mails is also a Alarm when you need to check if somebody is relaying mails using a phpcode or any PHP form is being exploited which doesn't verifies the referer's before processing.

happy hunting.

see ya,
mohit

[niccell]

Hello!

Thanks for the reply.

My mail cue is empty, so I'm doubtful it's a spammer. I also have WHM set to only allow 25 emails per hour. It's a definate deterrent, and would fill the cue. My cue is currently less than 25, and that's about where it stays....

I'm wondering if it's a spoof that somebody sends an email with my server as the 'from' and I am getting all of the bounces?

Thank you!

[chirpy]

mailnull is simply the non-privileged account under which exim runs. What you may be seeing is dictionary attacks against your domains. These are evident if you see a lot of email coming in for email addresses on your domains that don't exist (you'll see a lot of RCPT failures in exim_mainlog). If that's the case, then this may well help:

http://www.configserver.com/free/eximdeny.html