1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

id mailnull causing LOTS of issues

Discussion in 'E-mail Discussions' started by niccell, Apr 30, 2006.

  1. niccell

    niccell Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hello!

    First Post so please be gentle... :)

    The user mailnull is causing a LOT of issues. I'm wondering if I'm not the subject of an attack.

    There will be up to 15 'mailnulls' at a time, many with a CPU of '0' and several with CPU of over 5.

    Lots of 'NOBODY' HTTP connections also. Also with varying CPUS

    A few days ago I paid somebody to clean my server as it had another issue, so I know that the server has not been 'hacked' or exploited. This guy did a GREAT JOB! I would recommend him to anybody!

    Here is what I've done:

    1) Tried this:

    ls -al /proc/xxxx

    Which in this case shows:

    -r--r--r-- 1 root root 0 Jun 2 19:30 cmdline
    -r--r--r-- 1 root root 0 Jun 2 19:30 cpu
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 cwd -> /var/spool/exim/
    -r-------- 1 root root 0 Jun 2 19:30 environ
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 exe -> /usr/sbin/exim*
    dr-x------ 2 root root 0 Jun 2 19:30 fd/
    -r--r--r-- 1 root root 0 Jun 2 19:30 maps
    -rw------- 1 root root 0 Jun 2 19:30 mem
    -r--r--r-- 1 root root 0 Jun 2 19:30 mounts
    lrwxrwxrwx 1 root root 0 Jun 2 19:30 root -> //
    -r--r--r-- 1 root root 0 Jun 2 19:30 stat
    -r--r--r-- 1 root root 0 Jun 2 19:30 statm
    -r--r--r-- 1 root root 0 Jun 2 19:30 status

    Then:

    cat /proc/xxxx/environ

    To try to find the user. The user is my server.

    The mail cue is clean.

    BFD, APF, Chroot, and Mod Security is enabled and running normally.

    Extended logging is on and it shows failed emails from a variety of different IP addresses. I assume this is the 'bounce' from an invalid address from a spoof.

    I have looked like crazy on CPANEL FORUMS and GOOGLE to see what I can do.

    CPU hovers at about .5 when mailnull is behaving. 1.5-2.5 when it is not.

    I'm a little bit better than a 'newbie' at this. I've been doing WHM/CPANEL for about a year or so, and have lived on these forums (but never posted).

    Anyway, here are my questions if anybody will be so kind as to reply:

    1) Is mailnull the administrative mail account (auto send and such?) I havn't found a difinitive answer... :(

    2) Is there an answer to what is going on with this server?

    Any answers are definately appreciated.
     
  2. mohit

    mohit Member

    Joined:
    Jul 12, 2005
    Messages:
    554
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    hi,
    i think you could have a spammer on the box, who might be using mailman to send bulk mails, just a idea you better check whats the size of maillling list run by your user's account.

    a huge quantity of Nobody mails is also a Alarm when you need to check if somebody is relaying mails using a phpcode or any PHP form is being exploited which doesn't verifies the referer's before processing.

    happy hunting.

    see ya,
    mohit
     
  3. niccell

    niccell Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hello!

    Thanks for the reply.

    My mail cue is empty, so I'm doubtful it's a spammer. I also have WHM set to only allow 25 emails per hour. It's a definate deterrent, and would fill the cue. My cue is currently less than 25, and that's about where it stays.... :)

    I'm wondering if it's a spoof that somebody sends an email with my server as the 'from' and I am getting all of the bounces?

    Thank you!
     
  4. chirpy

    chirpy Super Moderator

    Joined:
    Jun 15, 2002
    Messages:
    13,499
    Likes Received:
    14
    Trophy Points:
    38
    Location:
    Go on, have a guess
    mailnull is simply the non-privileged account under which exim runs. What you may be seeing is dictionary attacks against your domains. These are evident if you see a lot of email coming in for email addresses on your domains that don't exist (you'll see a lot of RCPT failures in exim_mainlog). If that's the case, then this may well help:

    http://www.configserver.com/free/eximdeny.html
     

Share This Page