The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

sendmail out of control

Discussion in 'E-mail Discussions' started by AlexandreVeezon, Jul 27, 2006.

  1. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Hi people ;)

    Well, I have a question.
    I have too much sendmail processes running in machine, those proccess are consuming too much cpu:

    Code:
    25541 root      33   8  6496  860  804 R  3.9  0.1 158:27.96 sendmail
    29327 root      33   8  6172 1032  976 R  3.9  0.1 115:31.25 sendmail
    29640 root      33   8  7260 1032  976 R  3.9  0.1 126:22.58 sendmail
    29684 root      33   8  5532 1032  976 R  3.9  0.1 101:19.27 sendmail
     7878 root      33   8  7156 1032  976 R  3.9  0.1  58:40.82 sendmail
     8620 root      33   8  5716 1032  976 R  3.9  0.1  79:11.43 sendmail
    28857 root      33   8  5560 1292 1236 R  3.9  0.1  48:49.04 sendmail
    11237 root      33   8  6924 1296 1240 R  3.9  0.1  47:46.65 sendmail
    16252 root      33   8  5500 1928 1388 R  3.9  0.2  32:25.67 sendmail
    25500 root      33   8  6932 1928 1392 R  3.9  0.2   2:56.43 sendmail
    24853 root      33   8  5960  868  812 R  3.0  0.1 155:20.36 sendmail
     9628 root      33   8  5780  852  796 R  2.0  0.1 334:01.52 sendmail
    10156 root      33   8  6660  852  796 R  2.0  0.1 333:59.12 sendmail
     4050 root      33   8  6028  860  804 R  2.0  0.1 260:25.67 sendmail
    Sometimes, this percents UPs to 45% or 65%... :eek:

    in exim_mainlog I catch:
    Code:
    2006-07-23 04:12:10 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:15 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:22 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 04:12:26 H=(h57576.serverkompetenz.net) [81.169.128.45] F=<> rejected RCPT <cartoes@cards.com>:
    2006-07-23 06:24:04 H=88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] F=<EttacoyCraig@rgwuelfing.com> rejected RCPT <filial@foggiatto.net>: 88-104-204-124.dynamic.dsl.as9105.com (25D1678) [88.104.204.124] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
    2006-07-23 07:04:45 H=(dslb-088-072-047-025.pools.arcor-ip.net) [88.72.47.25] sender verify fail for <orxshcv@7nebo.com>: unrouteable mail domain "7nebo.com"
    Well, this is just a little bit of exim_mainlog. I have too much :)
    Looks like sendmail gonna crazy. Obviously this is spam, or anyone trying, but I could not stop this! I need some help...

    Any ideas?
    Thank you friends
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    do you have a large amount in your outgoing mail queue? (I cant remember if exim uses a binary called sendmail to send mail out, i dont think it does so check the processes carefully, I could be wrong though)
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I agree. You need to investigate those processes very carefully since the sendmail binary is simply a wrapper for exim and it's very unusual to see such processes running. Make sure they're not an obfuscated exploit.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, you really need to check those processes using lsof and make sure they're actually sendmail binaries and not obfuscated scripts.
     
  5. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Sure, Mail queue is not too large.

    So I have to scan other things and look what is calling sendmail, right?
    Ok, I'll and post here the answer..

    thank you guys. ;)
    you always help me hehehe :D
     
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Try things like:

    ls -lah /proc/28857

    and

    netstat -anp |grep 28857

    See what they are...
     
  7. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Hi again

    well, looking at the proc folder, I'm a little confused..
    In example:

    in dir /proc/28283 (sendmail)
    cwd -> /var/spool/
    exe -> /usr/bin/perl*

    Code:
    cat cmdline
    /usr/local/bin/perl/usr/sbin/sendmail-FCronDaemon-i-odi-oem-oi-troot
    
    The exe, this must be /usr/bin/sendmail right?

    I allready run nobody_check, libsafe to search for exploits, and clamscan to search any malicious scripts... but nothing can stop this sendmail processes and I cannot stop this
    :(

    Well.. and now? I don't know what to do :confused:
     
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    try stopping sendmail, does it go away?

    e.g. service sendmail stop or /etc/init.d/sendmail stop
     
  9. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    humm, to stop sendmail just renaming the binary, but is not the best thing...
     
  10. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    if you stop the service, do all of the procs disapeer? if they do, remove it
     
  11. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    :)

    It works, but if I do this, exim cannot send email hehehe.
    These processes was initiated by exim... the real question is why the machine is using more than 1 sendmail process. :)

    I'm searching.. searching..
     
  12. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    well

    /scripts/eximup --force

    I guess this solve the issue now.. let's monitor more time :)
     
  13. AlexandreVeezon

    AlexandreVeezon Well-Known Member

    Joined:
    Dec 9, 2005
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    /br/sc/rionegrinho
    cPanel Access Level:
    Root Administrator
    Solved!!

    yep!

    Solved!

    Thank you for all help... see ya in next question hehe :D
     
Loading...

Share This Page