Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I'm under attack

Discussion in 'E-mail Discussions' started by mystikzen, Nov 27, 2007.

  1. mystikzen

    mystikzen Member

    Joined:
    Mar 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Hello all

    my server is receiving tons of e-mails from all the world for a specific domain.
    This cause the server to be heavily loaded and I see a lot of defunct exim process.
    I shut down the exim service to free the load but it's not acceptable for the other customers.

    I deleted the domain in /etc/localdomains file but mails are still processed.
    :blackhole: and :fail: are not a fix in this case as mails are processed.

    Is it possible to disable exim for a specific domain ?

    here is a part of the netstat query :

    Code:
    Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 eve.myserver.com:smtp      mx2.tue.nl:54100            TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      outbound-blu.frontbri:61174 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      avgw.voras.lt:37037         FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      75-144-115-201-Jackso:54559 TIME_WAIT
tcp        0    221 eve.myserver.com:smtp      72-29-67-18.static.di:21318 LAST_ACK
tcp        0      0 eve.myserver.com:44056     burns.kundenserver42.d:auth TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      ns1004.imingo.net:4410      TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.asi-online.de:43856    TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      avsmtp.rejis.org:4282       TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      DNS1.CONZULTEK.NET:44253    TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mbos141-192.alpenstoc:60580 TIME_WAIT
tcp        1     99 eve.myserver.com:smtp      smtp-cpk.frontbridge.:29124 CLOSING
tcp        0      0 eve.myserver.com:smtp      38.100.238.114:36658        TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mailkp.adriatic-sloven:4495 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      piroes01-poub.socgen.:42052 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.thermalceramics.c:3152 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og102.obsmtp.c:38857 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      www.gowealthy.com:7338      TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail08a.verio.de:47219      TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og101.obsmtp.c:39659 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      smtp7.upil-service.co:42754 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      antispam.tecseed.co.jp:2133 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      ponca.b-h-e.com:44271       TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mspl01.usen.ad.jp:38036     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      gw.cis-electronic.de:42426  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      kishssv05.sakura-utop:37385 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      218.75.46.202:8379          TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      email.aduana.org:47724      TIME_WAIT
tcp        0     68 eve.myserver.com:smtp      smtp-out2.net.av.olea:16850 FIN_WAIT1
tcp        0      0 eve.myserver.com:smtp      msg-scanner3.usc.edu:40532  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      gw.cis-electronic.de:42457  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      broughton.textdrive.c:51981 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      dnssmtp2.fukuda.co.jp:56843 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail1.slthermal.com:2644    TIME_WAIT
tcp        0      0 eve.myserver.com:http      76.250.6.251:1232           FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      203.85.10.161:41801         FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      211.97.172.44:53545         TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      static-14-245-226-77.:51793 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      cmp1.deloitte.com:52341     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.arkemagroup.com:47160  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      ccmail.cc.niigata-u.a:33245 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      speedimax-200-66-99-2:33468 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      altair.benesse.co.jp:42254  FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      www.pixlab.com:46484        TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og102.obsmtp.c:38859 TIME_WAIT
tcp        0     68 eve.myserver.com:smtp      smtp-out2.net.av.olea:35280 FIN_WAIT1
tcp        0      0 eve.myserver.com:smtp      atsbg30.netronics.co.:47101 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mx4.lhsystems.com:46308     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      srv893.flexwebhosting:60868 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      kgmail1.kumandgo.com:56448  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail-dub.bigfish.com:44350  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      al-ulya.auto-jardim.co:7921 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.managerialdesign:40545 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      adsl-75-31-230-54.dsl:47622 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      zixvpm.bgfh.com:59809       TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      host152-146-static.5-7:1561 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      boss.sal.tohoku.ac.jp:51617 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      server.haeckert.de:44787    TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.garlington.com:38669   TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mx2.eurorscg.net:48209      TIME_WAIT
tcp        0    102 eve.myserver.com:smtp      cdzms003.cgi.rupa.it:31891  FIN_WAIT1
tcp        0      0 eve.myserver.com:smtp      mail.sterlingnetwork.:53011 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      leda.telerent.com:34013     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      218.38.243.28:40647         TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      bws14.bridgewatersyst:46487 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      caesc.caesc.com:1191        TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og102.obsmtp.c:38861 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      wsmtpr04.ezweb.ne.jp:60346  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      post.safecom.co.nz:21980    TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      213.246.215.162:55923       FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      exprod5og102.obsmtp.c:38829 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      smtp.terradon.net:34908     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      master.telconet.net:51817   FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      mi-ob.rzone.de:29087        TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      ncc4.infomail.es:65509      TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      gw-nam2.philips.com:62428   TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      greatwestern.gwproduc:50611 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail13.caremark.com:35494   TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      customer-148-223-175-:59447 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mulnx11.mcs.muohio.ed:55390 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      memova1.tellas.gr:41144     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      imail.guard.com:4891        TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      antibiotix1.salm.fr:18739   TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      n3.grp.bbt.yahoo.co.j:36698 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      wmflb12na02.ezweb.ne.:43356 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mailgate.rkfl.com:50452     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      us02.mail.rninc.net:39244   FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      backup1.mx.expedient.:53092 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      ss92.shared.server-sy:47505 FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      ew162.ips.SecurityBan:64027 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mailrelay008.isp.belg:43733 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      server217-174-250-109:43701 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      sweeper.hk.dk:16619         TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      lollipop.listbox.com:42380  TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      smtp.mistletoetech.co:43943 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      server213-171-221-144:57301 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.0532163.com:3757       TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      nmp2.deloitte.com:36576     TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og101.obsmtp.c:39692 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      58.26.137.24:58663          TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      mail.rdvsportsplex.co:53147 TIME_WAIT
tcp        0      0 eve.myserver.com:smtp      exprod5og101.obsmtp.c:39724 TIME_WAIT
tcp        1    107 eve.myserver.com:smtp      mail-dub.bigfish.com:16474  CLOSING
tcp        0      0 eve.myserver.com:smtp      mx1.cyso.net:40565          FIN_WAIT2
tcp        0      0 eve.myserver.com:smtp      blaster.systems.pipex:55320 TIME_WAIT
tcp        0      0 eve.myserver.com:5621      smtp.esn.be:35787           ESTABLISHED
     
    #1 mystikzen, Nov 27, 2007
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,681
    Likes Received:
    299
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    #service chkservd stop
    #service exim stop
    disable exim in Service Manager
    #service cpanel restart
    #service chkservd start

    That should work I think.
     
    #2 Infopro, Nov 27, 2007
  3. cbwass

    cbwass Well-Known Member

    Joined:
    Mar 29, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    316
    You could try removing the MX record for the domain that has problems in WHM 'Edit DNS Zone'.
     
    #3 cbwass, Nov 27, 2007
  4. mystikzen

    mystikzen Member

    Joined:
    Mar 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    exim service must work for the other customers :/

    I have already deleted the MX entry but mails are still coming because of the A entry :/
     
    #4 mystikzen, Nov 27, 2007
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    166
    So it is one particular domain? I would tell them "bye bye" and move on. There was actually some funny business going on with that domain at one point I would assume.
     
    #5 jayh38, Nov 27, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - under attack
  1. Nurs1927

    Suspicious process running under my user

    Nurs1927, Sep 24, 2017 at 3:52 AM, in forum: Security
    Replies:
    2
    Views:
    59
    cPanelMichael
    Sep 25, 2017 at 12:25 PM
  2. filip212

    php-fpm master process run under user

    filip212, Sep 10, 2017, in forum: EasyApache
    Replies:
    1
    Views:
    78
    cPanelMichael
    Sep 12, 2017
  3. Syneic

    Multiple php versions with fastcgi under EA4

    Syneic, Aug 24, 2017, in forum: Workarounds and Optimization
    Replies:
    4
    Views:
    163
    cPanelMichael
    Aug 28, 2017
  4. M001

    Accessing webdisk under a subaccount?

    M001, Aug 16, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    78
    cPanelMichael
    Aug 16, 2017
  5. jerrywwssadad

    Running php under each user with Fastgci

    jerrywwssadad, Jul 31, 2017, in forum: EasyApache
    Replies:
    5
    Views:
    136
    cPanelMichael
    Aug 2, 2017

Share This Page