The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

sendmail: accepting connections & Lots of PHP Commands & Another Question

Discussion in 'E-mail Discussions' started by dkz, Jul 19, 2005.

  1. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I have a client with a busy site but lately his site has started to put a strain on my server. Every few hours or less the server load climbs up to 40 and there is a ton of /usr/bin/php index.php processes listed in htop (same thing as top but better). It then creates a bottle neck and no php scripts can be processed from any user. Could this be a configuration problem somewhere? I do have phpsuexec enabled and I am running php 5.0.4. The problem was happening with php 4.3.11 as well. I upgraded a couple of days ago.


    Today I also checked out CPU/Memory/MySQL Usage in WHM and found this for the same user. Is/was the user sending out mass e-mail?
    Top Process %CPU 92.3 sendmail: accepting connections
    Top Process %CPU 57.6 sendmail: accepting connections
    Top Process %CPU 53.0 sendmail: accepting connections
    I tailed the exim main log when I saw this but there were no e-mails from this user being sent out.

    I have one last question. How many connections can your apache server process and how many per second?

    Maybe one more question. How do you know when you need more memory? The server in question is a AMD 2600 with 512MB of ram. The average amount of ram being used is 212MB and average swap is around 300MB with low IOwait. I'm sure an extra 512 would be beneficial but is it needed?


    I know my questions are all over the place but I don't want to have 4 separate threads open.
    Thanks for the help...
     
    #1 dkz, Jul 19, 2005
    Last edited: Jul 19, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Erm, sendmail should not be running at all. cPanel uses exim as it's MTA - are you sure that those are sendmail daemons and not simply exploits running under an assumed name?
     
  3. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Nope, I'm not sure. How would I check for that? It's the first time I have seen this.

    Thanks.
     
  4. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    I also just recived 5 e-mail from APF about a possible DOS attack and blocking the IP's. I also just heard of FloodGuard this morning but the developer's site is down so I can't find out more about it. Is this a good product? Is it a replacment for APF or another level of security?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you don't know how to determine if those processes are genuine or not, I would strongly recommend that you either hire a server administrator or ask your datacentre as appropriate to investigate for you as your server may be compromised. It could also be innocent, but without checking it's impossible to say.

    The first step would be to login to the root shell and determine the PID of the process claiming to be sendmail and then check if it has files open that you'd expect:

    lsof | grep PID

    You should also check your bound ports to ensure that there aren't any open that shouldn't be:

    netstat -lpn
     
  6. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the help Chirpy!

    This server is actually a managed server but I perfer to learn then to have someone do it for me. Have you ever heard the story with the man and a fish? Of course if this is over my head or it's really serious I will contact someone with more knowlege than me.

    Right now I do not see any sendmail processes running so I can't run the command lsof | grep PID


    I did run the netstat -lpn and here are the results.
    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
    tcp        0      0 0.0.0.0:1                   0.0.0.0:*                   LISTEN      3363/portsentry
    tcp        0      0 0.0.0.0:2082                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
    tcp        0      0 0.0.0.0:2083                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
    tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
    tcp        0      0 0.0.0.0:2084                0.0.0.0:*                   LISTEN      8596/entropychat
    tcp        0      0 0.0.0.0:2086                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
    tcp        0      0 0.0.0.0:2087                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
    tcp        0      0 0.0.0.0:6666                0.0.0.0:*                   LISTEN      8600/startmelange
    tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3034/mysqld
    tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      8592/cppop - accept
    tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN      19979/spamd.pid --m
    tcp        0      0 0.0.0.0:2095                0.0.0.0:*                   LISTEN      8575/cpsrvd - waiti
    tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      3363/portsentry
    tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      2727/xinetd
    tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      31480/httpd
    tcp        0      0 0.0.0.0:2096                0.0.0.0:*                   LISTEN      8632/stunnel-4.04lo
    tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      2812/exim
    tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      7257/pure-ftpd (SER
    tcp        0      0 216.32.90.221:53            0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 216.32.90.219:53            0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 216.32.90.220:53            0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 216.32.90.218:53            0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2713/sshd
    tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2691/cupsd
    tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      5971/named
    tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2804/exim
    tcp        0      0 0.0.0.0:26                  0.0.0.0:*                   LISTEN      2808/exim
    tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      31480/httpd
    udp        0      0 0.0.0.0:32804               0.0.0.0:*                               5971/named
    udp        0      0 216.32.90.221:53            0.0.0.0:*                               5971/named
    udp        0      0 216.32.90.219:53            0.0.0.0:*                               5971/named
    udp        0      0 216.32.90.220:53            0.0.0.0:*                               5971/named
    udp        0      0 216.32.90.218:53            0.0.0.0:*                               5971/named
    udp        0      0 127.0.0.1:53                0.0.0.0:*                               5971/named
    udp        0      0 0.0.0.0:631                 0.0.0.0:*                               2691/cupsd
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
    unix  2      [ ACC ]     STREAM     LISTENING     10505  3034/mysqld         /var/lib/mysql/mysql.sock
    unix  2      [ ACC ]     STREAM     LISTENING     163151 7261/pure-authd     /var/run/ftpd.sock
    
    Eventhough cPanel uses Exim, can't some programs use sendmail?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That output appears to be fine. Yes, /usr/sbin/sendmail (which is basically a wrapper for exim) can be used, but it should not show up in the way it does in your initial post (i.e. listening for connections).
     
Loading...

Share This Page