blairp36

Active Member
Apr 17, 2003
40
0
156
Just turned on extended logging in exim. Went through the log (exim_mainlog) and have thousands of these:

2007-01-08 01:44:10 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
2007-01-08 01:44:12 cwd=/tmp 2 args: /usr/sbin/sendmail -ti
2007-01-08 01:44:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS

They are going out at about 100 per min. Bandwidth use way up.

Looked in the /tmp dir. and see nothing interesting. /tmp seems secure. Looks like sendmail has been hijacked. Not sure what to look for now.

# mount
/dev/hda3 on / type ext3 (rw,usrquota)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext3 (rw)
/dev/hdb1 on /backup type ext3 (rw,usrquota)
/usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)
none on /dev/shm type tmpfs (rw,noexec,nosuid)

# cat /etc/fstab |grep tmp
none /dev/shm tmpfs noexec,nosuid 0 0
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
That usually means that there is a script in /tmp that's sending out email, possibly spam. You need to check all the files in /tmp and see if they are perl or php scripts. If you don't find anything, the file could still be open, but deleted. You can check for that with:

lsof /tmp
 

blairp36

Active Member
Apr 17, 2003
40
0
156
Thanks.... Looked in /tmp and found nothing.

# lsof /tmp
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mysqld 3202 mysql 6u REG 7,0 0 14 /tmp/ibyX8Ojk (deleted)
mysqld 3202 mysql 7u REG 7,0 0 21 /tmp/ibWV7cv0 (deleted)
mysqld 3202 mysql 8u REG 7,0 0 22 /tmp/ibq4IZIG (deleted)
mysqld 3202 mysql 12u REG 7,0 0 23 /tmp/ibC3sLbn (deleted)
httpd 5389 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
leechprot 6298 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23501 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23506 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23507 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23640 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23653 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 23762 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 25581 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 25584 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 28015 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
httpd 28260 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)

I wonder if it's Boxtrapper sending out the reply emails. I could be on the wrong path.
My searching started when I saw the bandwidth go way up on a lightly used server. The only thing I've found is a named process running for 30-60 min. at a time. Never seen the name server run like that.

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
2795 named 24 0 6848 6508 2036 S 73.3 0.6 41:18 0 /usr/sbin/named -u named

The %cpu is way up. Sometime around 99%
 
Last edited:
Thread starter Similar threads Forum Replies Date
benito Email 6
Mauritz Email 2
V Email 2
B Email 0
C Email 2