sendmail out of control

Hi people

Well, I have a question.
I have too much sendmail processes running in machine, those proccess are consuming too much cpu:

Code:

25541 root      33   8  6496  860  804 R  3.9  0.1 158:27.96 sendmail
29327 root      33   8  6172 1032  976 R  3.9  0.1 115:31.25 sendmail
29640 root      33   8  7260 1032  976 R  3.9  0.1 126:22.58 sendmail
29684 root      33   8  5532 1032  976 R  3.9  0.1 101:19.27 sendmail
 7878 root      33   8  7156 1032  976 R  3.9  0.1  58:40.82 sendmail
 8620 root      33   8  5716 1032  976 R  3.9  0.1  79:11.43 sendmail
28857 root      33   8  5560 1292 1236 R  3.9  0.1  48:49.04 sendmail
11237 root      33   8  6924 1296 1240 R  3.9  0.1  47:46.65 sendmail
16252 root      33   8  5500 1928 1388 R  3.9  0.2  32:25.67 sendmail
25500 root      33   8  6932 1928 1392 R  3.9  0.2   2:56.43 sendmail
24853 root      33   8  5960  868  812 R  3.0  0.1 155:20.36 sendmail
 9628 root      33   8  5780  852  796 R  2.0  0.1 334:01.52 sendmail
10156 root      33   8  6660  852  796 R  2.0  0.1 333:59.12 sendmail
 4050 root      33   8  6028  860  804 R  2.0  0.1 260:25.67 sendmail

Sometimes, this percents UPs to 45% or 65%...

in exim_mainlog I catch:

Code:

2006-07-23 04:12:10 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
2006-07-23 04:12:15 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
2006-07-23 04:12:22 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
2006-07-23 04:12:26 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
2006-07-23 06:24:04 H=88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] F=<EttacoyCraig@rgwuelfing.com> rejected RCPT <filial@foggiatto.net>: 88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2006-07-23 07:04:45 H=(dslb-088-072-047-025.pools.arcor-ip.net) [88.72.47.25] sender verify fail for <orxshcv@7nebo.com>: unrouteable mail domain "7nebo.com"

Well, this is just a little bit of exim_mainlog. I have too much
Looks like sendmail gonna crazy. Obviously this is spam, or anyone trying, but I could not stop this! I need some help...

Any ideas?
Thank you friends

 

Sure, Mail queue is not too large.

So I have to scan other things and look what is calling sendmail, right?
Ok, I'll and post here the answer..

thank you guys.
you always help me hehehe :D

 

Hi again

well, looking at the proc folder, I'm a little confused..
In example:

in dir /proc/28283 (sendmail)
cwd -> /var/spool/
exe -> /usr/bin/perl*

Code:

cat cmdline
/usr/local/bin/perl/usr/sbin/sendmail-FCronDaemon-i-odi-oem-oi-troot

The exe, this must be /usr/bin/sendmail right?

I allready run nobody_check, libsafe to search for exploits, and clamscan to search any malicious scripts... but nothing can stop this sendmail processes and I cannot stop this


Well.. and now? I don't know what to do

 

humm, to stop sendmail just renaming the binary, but is not the best thing...

 

It works, but if I do this, exim cannot send email hehehe.
These processes was initiated by exim... the real question is why the machine is using more than 1 sendmail process.

I'm searching.. searching..

 

well

/scripts/eximup --force

I guess this solve the issue now.. let's monitor more time

 

Solved!!

yep!

Solved!

Thank you for all help... see ya in next question hehe :D