Results 1 to 4 of 4

Thread: id mailnull causing LOTS of issues

  1. #1
    Registered Member
    Join Date
    Aug 2005
    Posts
    46

    Default id mailnull causing LOTS of issues

    Hello!

    First Post so please be gentle...

    The user mailnull is causing a LOT of issues. I'm wondering if I'm not the subject of an attack.

    There will be up to 15 'mailnulls' at a time, many with a CPU of '0' and several with CPU of over 5.

    Lots of 'NOBODY' HTTP connections also. Also with varying CPUS

    A few days ago I paid somebody to clean my server as it had another issue, so I know that the server has not been 'hacked' or exploited. This guy did a GREAT JOB! I would recommend him to anybody!

    Here is what I've done:

    1) Tried this:

    ls -al /proc/xxxx

    Which in this case shows:

    -r--r--r-- 1 root root 0 Jun 2 19:30 cmdline
    -r--r--r-- 1 root root 0 Jun 2 19:30 cpu
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 cwd -> /var/spool/exim/
    -r-------- 1 root root 0 Jun 2 19:30 environ
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 exe -> /usr/sbin/exim*
    dr-x------ 2 root root 0 Jun 2 19:30 fd/
    -r--r--r-- 1 root root 0 Jun 2 19:30 maps
    -rw------- 1 root root 0 Jun 2 19:30 mem
    -r--r--r-- 1 root root 0 Jun 2 19:30 mounts
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 root -> //
    -r--r--r-- 1 root root 0 Jun 2 19:30 stat
    -r--r--r-- 1 root root 0 Jun 2 19:30 statm
    -r--r--r-- 1 root root 0 Jun 2 19:30 status

    Then:

    cat /proc/xxxx/environ

    To try to find the user. The user is my server.

    The mail cue is clean.

    BFD, APF, Chroot, and Mod Security is enabled and running normally.

    Extended logging is on and it shows failed emails from a variety of different IP addresses. I assume this is the 'bounce' from an invalid address from a spoof.

    I have looked like crazy on CPANEL FORUMS and GOOGLE to see what I can do.

    CPU hovers at about .5 when mailnull is behaving. 1.5-2.5 when it is not.

    I'm a little bit better than a 'newbie' at this. I've been doing WHM/CPANEL for about a year or so, and have lived on these forums (but never posted).

    Anyway, here are my questions if anybody will be so kind as to reply:

    1) Is mailnull the administrative mail account (auto send and such?) I havn't found a difinitive answer...

    2) Is there an answer to what is going on with this server?

    Any answers are definately appreciated.

  2. #2
    Registered Member
    Join Date
    Jul 2005
    Location
    Sticky On Internet
    Posts
    555

    Default

    hi,
    i think you could have a spammer on the box, who might be using mailman to send bulk mails, just a idea you better check whats the size of maillling list run by your user's account.

    a huge quantity of Nobody mails is also a Alarm when you need to check if somebody is relaying mails using a phpcode or any PHP form is being exploited which doesn't verifies the referer's before processing.

    happy hunting.

    see ya,
    mohit
    Learn atleast A word Daily

    7+1 Dedicated Boxes with cPanel...

  3. #3
    Registered Member
    Join Date
    Aug 2005
    Posts
    46

    Default

    Hello!

    Thanks for the reply.

    My mail cue is empty, so I'm doubtful it's a spammer. I also have WHM set to only allow 25 emails per hour. It's a definate deterrent, and would fill the cue. My cue is currently less than 25, and that's about where it stays....

    I'm wondering if it's a spoof that somebody sends an email with my server as the 'from' and I am getting all of the bounces?

    Thank you!

  4. #4
    Registered Member This forum account has been confirmed by cPanel staff to represent a vendor. chirpy's Avatar
    Join Date
    Jun 2002
    Location
    Go on, have a guess
    Posts
    13,499

    Default

    mailnull is simply the non-privileged account under which exim runs. What you may be seeing is dictionary attacks against your domains. These are evident if you see a lot of email coming in for email addresses on your domains that don't exist (you'll see a lot of RCPT failures in exim_mainlog). If that's the case, then this may well help:

    http://www.configserver.com/free/eximdeny.html
    Jonathan Michaelson

    cPanel Server Configuration, Security and Antivirus/AntiSpam Services
    http://www.configserver.com

Similar Threads

  1. upgrade to cpanel Current has LOTS of issues
    By merlinpa1969 in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 05-07-2007, 06:11 PM
  2. Perl Upgrade 5.8.7 Causing Issues
    By keywordguy in forum New User Questions
    Replies: 2
    Last Post: 03-03-2006, 12:16 PM
  3. HTML form with lots of data submitted causing error
    By rogergraves in forum cPanel & WHM Discussions
    Replies: 0
    Last Post: 07-12-2005, 02:19 AM
  4. High load issues causing regular performance issues
    By K_aneda in forum cPanel & WHM Discussions
    Replies: 1
    Last Post: 06-27-2004, 06:28 AM
  5. fixquotas causing lots of server load
    By arn in forum cPanel & WHM Discussions
    Replies: 3
    Last Post: 08-29-2002, 02:13 PM
bargain