Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

sendmail out of control

Discussion in 'E-mail Discussion' started by AlexandreVeezon, Jul 27, 2006.

  1. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Hi people ;)

    Well, I have a question.
    I have too much sendmail processes running in machine, those proccess are consuming too much cpu:

    Code:
    25541 root      33   8  6496  860  804 R  3.9  0.1 158:27.96 sendmail
    29327 root      33   8  6172 1032  976 R  3.9  0.1 115:31.25 sendmail
    29640 root      33   8  7260 1032  976 R  3.9  0.1 126:22.58 sendmail
    29684 root      33   8  5532 1032  976 R  3.9  0.1 101:19.27 sendmail
     7878 root      33   8  7156 1032  976 R  3.9  0.1  58:40.82 sendmail
     8620 root      33   8  5716 1032  976 R  3.9  0.1  79:11.43 sendmail
    28857 root      33   8  5560 1292 1236 R  3.9  0.1  48:49.04 sendmail
    11237 root      33   8  6924 1296 1240 R  3.9  0.1  47:46.65 sendmail
    16252 root      33   8  5500 1928 1388 R  3.9  0.2  32:25.67 sendmail
    25500 root      33   8  6932 1928 1392 R  3.9  0.2   2:56.43 sendmail
    24853 root      33   8  5960  868  812 R  3.0  0.1 155:20.36 sendmail
     9628 root      33   8  5780  852  796 R  2.0  0.1 334:01.52 sendmail
    10156 root      33   8  6660  852  796 R  2.0  0.1 333:59.12 sendmail
     4050 root      33   8  6028  860  804 R  2.0  0.1 260:25.67 sendmail
    Sometimes, this percents UPs to 45% or 65%... :eek:

    in exim_mainlog I catch:
    Code:
    2006-07-23 04:12:10 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:15 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:22 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:26 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 06:24:04 H=88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] F=<EttacoyCraig@rgwuelfing.com> rejected RCPT <filial@foggiatto.net>: 88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2006-07-23 07:04:45 H=(dslb-088-072-047-025.pools.arcor-ip.net) [88.72.47.25] sender verify fail for <orxshcv@7nebo.com>: unrouteable mail domain "7nebo.com"
    Well, this is just a little bit of exim_mainlog. I have too much :)
    Looks like sendmail gonna crazy. Obviously this is spam, or anyone trying, but I could not stop this! I need some help...

    Any ideas?
    Thank you friends
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    do you have a large amount in your outgoing mail queue? (I cant remember if exim uses a binary called sendmail to send mail out, i dont think it does so check the processes carefully, I could be wrong though)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    I agree. You need to investigate those processes very carefully since the sendmail binary is simply a wrapper for exim and it's very unusual to see such processes running. Make sure they're not an obfuscated exploit.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    No, you really need to check those processes using lsof and make sure they're actually sendmail binaries and not obfuscated scripts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Sure, Mail queue is not too large.

    So I have to scan other things and look what is calling sendmail, right?
    Ok, I'll and post here the answer..

    thank you guys. ;)
    you always help me hehehe :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Try things like:

    ls -lah /proc/28857

    and

    netstat -anp |grep 28857

    See what they are...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Hi again

    well, looking at the proc folder, I'm a little confused..
    In example:

    in dir /proc/28283 (sendmail)
    cwd -> /var/spool/
    exe -> /usr/bin/perl*

    Code:
    cat cmdline
    /usr/local/bin/perl/usr/sbin/sendmail-FCronDaemon-i-odi-oem-oi-troot
    
    The exe, this must be /usr/bin/sendmail right?

    I allready run nobody_check, libsafe to search for exploits, and clamscan to search any malicious scripts... but nothing can stop this sendmail processes and I cannot stop this
    :(

    Well.. and now? I don't know what to do :confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    try stopping sendmail, does it go away?

    e.g. service sendmail stop or /etc/init.d/sendmail stop
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    humm, to stop sendmail just renaming the binary, but is not the best thing...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    if you stop the service, do all of the procs disapeer? if they do, remove it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    :)

    It works, but if I do this, exim cannot send email hehehe.
    These processes was initiated by exim... the real question is why the machine is using more than 1 sendmail process. :)

    I'm searching.. searching..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    well

    /scripts/eximup --force

    I guess this solve the issue now.. let's monitor more time :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Solved!!

    yep!

    Solved!

    Thank you for all help... see ya in next question hehe :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice