Community Forums
Connect with us on LinkedIn
server Busy - IS EXIM HACKED ?
  
+ Reply to Thread
Results 1 to 5 of 5
  1. 02-24-2006 03:18 AM #1
    mahdionline
    mahdionline is offline
    Member mahdionline's Avatar
    Join Date
    Oct 2003
    Posts
    127

    Default server Busy - IS EXIM HACKED ?

    Hi
    our server from 3 day ago become very busy. I see in whm that exim -q is the top(heavy) process in system.

    I think someone use our mail server to send mail or . . .

    I shutdown EXIM by service Exim stop command but after a few time i see exim started. then I rename the usr/sbin/exim , and see returned to normal situation.

    What should i do for this problem ? Is this a DOS attack ?

    Regard
    Mahdionline
    Reply With Quote Reply With Quote
  2. 02-24-2006 05:25 AM #2
    MN-Robert
    MN-Robert is offline
    Member
    Join Date
    Feb 2003
    Posts
    205

    Default

    Probably a script was compromised, have a look at the logs it will tell you where the mail is coming from.
    Reply With Quote Reply With Quote
  3. 03-14-2006 10:14 AM #3
    mahdionline
    mahdionline is offline
    Member mahdionline's Avatar
    Join Date
    Oct 2003
    Posts
    127

    Default

    Quote Originally Posted by MN-Robert
    Probably a script was compromised, have a look at the logs it will tell you where the mail is coming from.
    How can i detect and find this script and it's owner (Account) ?

    Regard
    Mahdionline
    Reply With Quote Reply With Quote
  4. 03-14-2006 10:34 AM #4
    MN-Robert
    MN-Robert is offline
    Member
    Join Date
    Feb 2003
    Posts
    205

    Default

    tail -f /var/log/exim_mainlog

    or if you know what the spam is

    grep spam /var/log/exim_mainlog

    or higher a system admin.
    Reply With Quote Reply With Quote
  5. 03-16-2006 04:06 AM #5
    chirpy
    chirpy is offline
    Super Moderator This forum account has been confirmed by cPanel staff to represent a vendor. chirpy's Avatar
    Join Date
    Jun 2002
    Location
    Go on, have a guess
    Posts
    13,495

    Default

    Yup. Enabling some extended exim logging might help you track down the offending script if they're coming from the nobody account.
    Jonathan Michaelson

    Need your cPanel servers secured and tuned?
    cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
    Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
    http://www.configserver.com
    Reply With Quote Reply With Quote
«   /scripts/mailperm problem | Possible to "turn off" php/cgi for an account? »     
Similar Threads & Tags
Similar threads

  1. server seems busy
    By zontrakulla in forum Optimization
    Replies: 1
    Last Post: 03-08-2010, 06:33 PM
  2. Server seems busy
    By Mariusz Jokiel in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 03-16-2008, 05:00 PM
  3. server Busy - High Load
    By mahdionline in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 02-19-2006, 11:05 AM
  4. What are optimal setting for Spamd Startup Configuration on a busy server?
    By EdRooney in forum cPanel and WHM Discussions
    Replies: 10
    Last Post: 12-13-2004, 09:50 AM
  5. Mysql experts is this a innovative way to reduce the mysl load on busy server
    By atul in forum cPanel and WHM Discussions
    Replies: 5
    Last Post: 07-23-2004, 08:31 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube