The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim crashing server - spam??

Discussion in 'General Discussion' started by fuzzymonkey, Jan 26, 2005.

  1. fuzzymonkey

    fuzzymonkey Well-Known Member

    Joined:
    Jun 11, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I have one particular server that crashes every single day, sometimes several times a day. When these crashes occur, I can see that exim, eximstats, cppop, and imap fail and the server load gets as high as 20. I've upgraded exim, and put a cron job in to restart it every 6 hours to no avail. Is this a known issue? Could one of my clients be using my server for spam? If so, how do I find out about it? Are there any simple config tricks that would make exim less CPU hungry?

    top during normal operation:
    Code:
      PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
    24800 root      25   0  3868 3868  2796 S     0.7  0.3   0:00   0 exim
    24026 phatch    15   0  3620 3620  1572 S     0.1  0.3   0:00   0 manage.cgi
    24129 root      24   0  1892 1892  1556 S     0.1  0.1   0:00   0 exim
    24715 root      15   0  1152 1152   896 R     0.1  0.1   0:00   0 top
        1 root      15   0   116   80    56 S     0.0  0.0   0:04   0 init
        2 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 keventd
        3 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kapmd
        4 root      34  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd/0
        7 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
        5 root      15   0     0    0     0 SW    0.0  0.0   0:03   0 kswapd
        6 root      15   0     0    0     0 SW    0.0  0.0   0:03   0 kscand
        8 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kupdated
        9 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 mdrecoveryd
       13 root      15   0     0    0     0 SW    0.0  0.0   0:13   0 kjournald
       68 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
      799 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
     1229 root      15   0   236  212   156 S     0.0  0.0   0:03   0 syslogd
     1233 root      15   0    60    4     0 S     0.0  0.0   0:00   0 klogd
     1323 nobody    15   0   696  260   156 S     0.0  0.0   0:00   0 proftpd
     1336 root      15   0   732  328   244 S     0.0  0.0   0:00   0 cupsd
     1361 root      15   0   464  284   220 S     0.0  0.0   0:00   0 sshd
    
    top sorted by memory usage during normal operation:
    Code:
       PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
     1639 root      15   0 28428  21M  1992 S     0.0  2.1   0:26   0 spamd
     1698 root      16   0 26456  20M  1900 S     0.0  2.0   0:30   0 spamd
     1679 root      15   0 26028  20M  1936 S     0.0  2.0   0:25   0 spamd
     1701 root      16   0 26300  20M  1996 S     0.0  2.0   0:28   0 spamd
     1699 root      16   0 25276  19M  1828 S     0.0  1.9   0:28   0 spamd
     1716 nobody    15   0 13296  11M  2760 S     0.0  1.1   0:47   0 httpd
     1604 nobody    15   0 12120  10M  2788 S     0.0  1.0   0:47   0 httpd
     1545 nobody    15   0 12032  10M  2744 S     0.0  1.0   0:45   0 httpd
     1726 nobody    15   0 12108  10M  2796 S     0.0  1.0   0:46   0 httpd
     1605 nobody    17   0 12024  10M  2772 R     0.2  1.0   0:42   0 httpd
     1543 nobody    15   0 12048  10M  2736 S     0.0  1.0   0:35   0 httpd
     1546 nobody    15   0 11844  10M  2676 S     0.0  1.0   0:49   0 httpd
     1594 nobody    15   0 11996  10M  2688 S     2.3  1.0   0:44   0 httpd
     1544 nobody    15   0 11796  10M  2756 S     0.0  1.0   0:38   0 httpd
     1547 nobody    15   0 11748 9.8M  2748 S     0.0  0.9   0:44   0 httpd
     1765 root      34  19 10448 8752  1176 S N   0.0  0.8   0:29   0 cpanellogd
     1600 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:01   0 mysqld
     1661 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:01   0 mysqld
     1662 mysql     20   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1663 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1664 mysql     23   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1665 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1711 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1712 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1713 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1714 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     1719 mysql     15   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
     9331 mysql     20   0 20604 7140  1532 S     0.0  0.6   0:00   0 mysqld
    
    free during normal operation:
    Code:
                 total       used       free     shared    buffers     cached
    Mem:       1030556     994724      35832          0      90536     658640
    -/+ buffers/cache:     245548     785008
    Swap:      2048276     213980    1834296
     
    #1 fuzzymonkey, Jan 26, 2005
    Last edited: Jan 26, 2005
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    first check CPU/Memory/MySQL Usage in server status and se wat process for the day is using so much cpu

    when the load climbs do a top in ssh and see wich process is hogging all the cpu

    ps aux is ssh and see which processes are running when the load starts to climb

    it may not be Spam


    see which users are realying mail in your mail statistics


    install PRM :)
     
    #2 dalem, Jan 26, 2005
    Last edited: Jan 26, 2005
  3. fuzzymonkey

    fuzzymonkey Well-Known Member

    Joined:
    Jun 11, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I don't believe its spam. None of my users are sending more than 1000 emails a week. Shouldn't I expect much more than that from anyone sending spam? The process that is consuming the most memory is exim. The server hasn't gone down since I posted this thread, which is why my original post didn't include top and free's output from a time when the server is overloaded. Also, once I'm alerted to the problem, its too late, and I can't ssh in. I don't know that I'll ever be able to get that data.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If there was a problem with exim and/or spam, it would show in your exim logs at the time of the crash.

    You're not clear on one thing. Does the server actually crash, or does it simply hang and you have to do a forceful reboot? IF it crashes, there is often output on the serial console that can help determine where the problem was. If it's a hang, then checking over all your server logs at the time of the hang may be helpful (esp. /var/log/messages).

    Lastly, do you have something like PRM installed? Do you have WHM > Shell Fork Bomb Protection enabled (you should)? Are you running the latest kernel for your OS?
     
  5. fuzzymonkey

    fuzzymonkey Well-Known Member

    Joined:
    Jun 11, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for replying! The server hangs. I can still ping it, but cannot SSH in, and all my services crash. I have to reboot every time. I know about /var/log/messages - there is no helpful info there. What are other logs I can look in, and where are they located? Where are the exim logs?
     
    #5 fuzzymonkey, Jan 27, 2005
    Last edited: Jan 27, 2005
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In addition to what Chirpy said, are you sure that your server is secure and every thing is entact?

    If you can't find out, you need to hire sys admin to help out.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    On a linux server, the exim logs are:

    /var/log/exim_mainlog
    /var/log/exim_rejectlog
    /var/log/exim_paniclog
     
  8. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Did you find a solution? I have an exact the same problem with one of my servers. It is running FC1 and cPanel RELEASE 10.0.0-7.

    Thanks
     
  9. adapter

    adapter Well-Known Member
    PartnerNOC

    Joined:
    Sep 17, 2003
    Messages:
    391
    Likes Received:
    0
    Trophy Points:
    16
    As i told in my previous post i have the same problem with 10.0 R7, Exim crash my servers
     
  10. stefos

    stefos Registered

    Joined:
    Sep 20, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    same here... some log file entries

    same here... server stops responding (not web server, no secure shell, nothing!).
    We have to reboot to get it up and running again.

    CPU/Memory/MySQL Usage shows that exim is the top memory holder per day.

    After rebooting, I see following entries in various log files under /var/log

    Feb 9 15:46:39 server postgres[12193]: [34] LOG: could not launch checkpoint process (fork failure): Cannot allocate memory
    Feb 9 15:20:00 server crond[13635]: (CRON) error (can't fork)

    exim
    2005-02-09 15:34:40 daemon: accept process fork failed: Cannot allocate memory
    2005-02-09 15:18:50 daemon: accept process fork failed: Cannot allocate memory

    Feb 9 15:26:18 server sshd[27072]: error: fork: Cannot allocate memory
     
  11. arunz

    arunz Member

    Joined:
    Feb 26, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Check the queue

    Please monitor the queue by doing /var/log/exim_mainlog

    There you can findout if there is a specific user who is been sending you numerous mails or any user getting lot of mail. Please disable any email address which is recieving lot of automated spam mails.

    Apart from that you will get a IP address of the spammer. Please block that user using the firewall.

    Contact me AIM "arunreddy81"
     
Loading...

Share This Page