The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sendmail problems...

Discussion in 'E-mail Discussions' started by blairp36, Jan 8, 2007.

  1. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Just turned on extended logging in exim. Went through the log (exim_mainlog) and have thousands of these:

    2007-01-08 01:44:10 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-01-08 01:44:12 cwd=/tmp 2 args: /usr/sbin/sendmail -ti
    2007-01-08 01:44:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS

    They are going out at about 100 per min. Bandwidth use way up.

    Looked in the /tmp dir. and see nothing interesting. /tmp seems secure. Looks like sendmail has been hijacked. Not sure what to look for now.

    # mount
    /dev/hda3 on / type ext3 (rw,usrquota)
    none on /proc type proc (rw)
    none on /dev/pts type devpts (rw,gid=5,mode=620)
    usbdevfs on /proc/bus/usb type usbdevfs (rw)
    /dev/hda1 on /boot type ext3 (rw)
    /dev/hdb1 on /backup type ext3 (rw,usrquota)
    /usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
    /tmp on /var/tmp type none (rw,noexec,nosuid,bind)
    none on /dev/shm type tmpfs (rw,noexec,nosuid)

    # cat /etc/fstab |grep tmp
    none /dev/shm tmpfs noexec,nosuid 0 0
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That usually means that there is a script in /tmp that's sending out email, possibly spam. You need to check all the files in /tmp and see if they are perl or php scripts. If you don't find anything, the file could still be open, but deleted. You can check for that with:

    lsof /tmp
     
  3. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Thanks.... Looked in /tmp and found nothing.

    # lsof /tmp
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    mysqld 3202 mysql 6u REG 7,0 0 14 /tmp/ibyX8Ojk (deleted)
    mysqld 3202 mysql 7u REG 7,0 0 21 /tmp/ibWV7cv0 (deleted)
    mysqld 3202 mysql 8u REG 7,0 0 22 /tmp/ibq4IZIG (deleted)
    mysqld 3202 mysql 12u REG 7,0 0 23 /tmp/ibC3sLbn (deleted)
    httpd 5389 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    leechprot 6298 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23501 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23506 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23507 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23640 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23653 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23762 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 25581 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 25584 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 28015 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 28260 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)

    I wonder if it's Boxtrapper sending out the reply emails. I could be on the wrong path.
    My searching started when I saw the bandwidth go way up on a lightly used server. The only thing I've found is a named process running for 30-60 min. at a time. Never seen the name server run like that.

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    2795 named 24 0 6848 6508 2036 S 73.3 0.6 41:18 0 /usr/sbin/named -u named

    The %cpu is way up. Sometime around 99%
     
    #3 blairp36, Jan 10, 2007
    Last edited: Jan 10, 2007
Loading...

Share This Page