sendmail: accepting connections & Lots of PHP Commands & Another Question

[dkz]

Hi,

I have a client with a busy site but lately his site has started to put a strain on my server. Every few hours or less the server load climbs up to 40 and there is a ton of /usr/bin/php index.php processes listed in htop (same thing as top but better). It then creates a bottle neck and no php scripts can be processed from any user. Could this be a configuration problem somewhere? I do have phpsuexec enabled and I am running php 5.0.4. The problem was happening with php 4.3.11 as well. I upgraded a couple of days ago.


Today I also checked out CPU/Memory/MySQL Usage in WHM and found this for the same user. Is/was the user sending out mass e-mail?
Top Process %CPU 92.3 sendmail: accepting connections
Top Process %CPU 57.6 sendmail: accepting connections
Top Process %CPU 53.0 sendmail: accepting connections
I tailed the exim main log when I saw this but there were no e-mails from this user being sent out.

I have one last question. How many connections can your apache server process and how many per second?

Maybe one more question. How do you know when you need more memory? The server in question is a AMD 2600 with 512MB of ram. The average amount of ram being used is 212MB and average swap is around 300MB with low IOwait. I'm sure an extra 512 would be beneficial but is it needed?


I know my questions are all over the place but I don't want to have 4 separate threads open.
Thanks for the help...

 

[chirpy]

Erm, sendmail should not be running at all. cPanel uses exim as it's MTA - are you sure that those are sendmail daemons and not simply exploits running under an assumed name?

 

[dkz]

Nope, I'm not sure. How would I check for that? It's the first time I have seen this.

Thanks.

 

[dkz]

I also just recived 5 e-mail from APF about a possible DOS attack and blocking the IP's. I also just heard of FloodGuard this morning but the developer's site is down so I can't find out more about it. Is this a good product? Is it a replacment for APF or another level of security?

 

[chirpy]

If you don't know how to determine if those processes are genuine or not, I would strongly recommend that you either hire a server administrator or ask your datacentre as appropriate to investigate for you as your server may be compromised. It could also be innocent, but without checking it's impossible to say.

The first step would be to login to the root shell and determine the PID of the process claiming to be sendmail and then check if it has files open that you'd expect:

lsof | grep PID

You should also check your bound ports to ensure that there aren't any open that shouldn't be:

netstat -lpn

 

[dkz]

Thanks for the help Chirpy!

This server is actually a managed server but I perfer to learn then to have someone do it for me. Have you ever heard the story with the man and a fish? Of course if this is over my head or it's really serious I will contact someone with more knowlege than me.

Right now I do not see any sendmail processes running so I can't run the command lsof | grep PID


I did run the netstat -lpn and here are the results.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
tcp        0      0 0.0.0.0:1                   0.0.0.0:*                   LISTEN      3363/portsentry
tcp        0      0 0.0.0.0:2082                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
tcp        0      0 0.0.0.0:2083                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
tcp        0      0 0.0.0.0:2084                0.0.0.0:*                   LISTEN      8596/entropychat
tcp        0      0 0.0.0.0:2086                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
tcp        0      0 0.0.0.0:2087                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
tcp        0      0 0.0.0.0:6666                0.0.0.0:*                   LISTEN      8600/startmelange
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3034/mysqld
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      8592/cppop - accept
tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN      19979/spamd.pid --m
tcp        0      0 0.0.0.0:2095                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      3363/portsentry
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      2727/xinetd
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      31480/httpd
tcp        0      0 0.0.0.0:2096                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      2812/exim
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      7257/pure-ftpd (SER
tcp        0      0 216.32.90.221:53            0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 216.32.90.219:53            0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 216.32.90.220:53            0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 216.32.90.218:53            0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2713/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2691/cupsd
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      5971/named
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2804/exim
tcp        0      0 0.0.0.0:26                  0.0.0.0:*                   LISTEN      2808/exim
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      31480/httpd
udp        0      0 0.0.0.0:32804               0.0.0.0:*                               5971/named
udp        0      0 216.32.90.221:53            0.0.0.0:*                               5971/named
udp        0      0 216.32.90.219:53            0.0.0.0:*                               5971/named
udp        0      0 216.32.90.220:53            0.0.0.0:*                               5971/named
udp        0      0 216.32.90.218:53            0.0.0.0:*                               5971/named
udp        0      0 127.0.0.1:53                0.0.0.0:*                               5971/named
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               2691/cupsd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     10505  3034/mysqld         /var/lib/mysql/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     163151 7261/pure-authd     /var/run/ftpd.sock

Eventhough cPanel uses Exim, can't some programs use sendmail?

 

[chirpy]

That output appears to be fine. Yes, /usr/sbin/sendmail (which is basically a wrapper for exim) can be used, but it should not show up in the way it does in your initial post (i.e. listening for connections).