The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim using 10000+% of processor?

Discussion in 'E-mail Discussions' started by Jpao17, Dec 3, 2007.

  1. Jpao17

    Jpao17 Registered

    Joined:
    Nov 1, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Has anybody ever seen anything like this that can shed some light on it?

    We recently had this server start crashing after only 9 or 10 hours of being up. I remotely kept an SSH "top" open as root so I could capture the last frame before the server crashed and here's what it came up with

    [​IMG]

    I highlighted the parts of interest.

    OOM-Killer was being invoked and ultimately killed the sshd process at this screenshot time.

    We needed this to run smoothly immediately so we couldn't mess around to find a solution. We formatted the server and reinstalled everything this morning, but I'm hoping somebody can shed some light on this situation, maybe they had seen it before so we can prevent it from happening again?

    Edit: The server is a Dell Poweredge 2970 Red Hat Linux Enterprise 5 Server Edition, Two Dual-Core AMD 2.00 Processors, 4.0G of memory, and Brand-spankin new, set it up in early October, First started crashing on November 29

    Chris
     
    #1 Jpao17, Dec 3, 2007
    Last edited: Dec 3, 2007
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    looks like your exim was filled with not less than thousands of emails taking the box on extreeme loads.
    If you had a filled up mail queue you possibly had a spammer on board.

    Did you examined the mail queues before formatting ?

    I never saw a server working with those kind of load averages (2262.61) that seems to be a new world record :)

    mohit
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    2262 Load average??? I have never seen such extreme load :eek: It is rather diffcult to say without looking into your server, but it is likely that you are under serious Dos/DDoS attack.
     
  4. Jpao17

    Jpao17 Registered

    Joined:
    Nov 1, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I didn't take a look at the mail queues per say, but I did download the log files for exim_maillog and that kind of thing, it was 75 Megs of pure text from Nov 25 - Dec 3, and appeared to have hundreds of thousands of emails send to or from bogususername@epicsoftware.com the domain being a domain on the server, but using a bogus username.

    But I don't see how we would have any reason to be under DoS attack, the server had only been up for less than 1.5 months, and there were only two websites that the public even knew about, and they were Small too! I do have the /var/logs/messages file that shows what the server was up to each time it crashed. Just a bunch of oom-killers. Eventually oom-killer would kill sshd making it impossible to remotely reboot the server. In which case we had to keep driving 33 miles to downtown Houston to physically hit the button.

    Chris
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    867
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Here's a command that will help you track down what user and the directory/file thats producing the spam. It lists the number of emails each client has sent and from where. You need extended Exim logging, if you don't have it enabled then in the first box of the Exim config editor ( WHM ) add
    Code:
    log_selector = +arguments +subject
    Then from a consol run:
    Code:
    cat /var/log/exim_mainlog | grep cwd=\/home\/ | cut -d' ' -f3 | sort -n | uniq -c
     
Loading...

Share This Page