Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Sendmail problems...

Discussion in 'E-mail Discussion' started by blairp36, Jan 8, 2007.

  1. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    156
    Just turned on extended logging in exim. Went through the log (exim_mainlog) and have thousands of these:

    2007-01-08 01:44:10 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2007-01-08 01:44:12 cwd=/tmp 2 args: /usr/sbin/sendmail -ti
    2007-01-08 01:44:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS

    They are going out at about 100 per min. Bandwidth use way up.

    Looked in the /tmp dir. and see nothing interesting. /tmp seems secure. Looks like sendmail has been hijacked. Not sure what to look for now.

    # mount
    /dev/hda3 on / type ext3 (rw,usrquota)
    none on /proc type proc (rw)
    none on /dev/pts type devpts (rw,gid=5,mode=620)
    usbdevfs on /proc/bus/usb type usbdevfs (rw)
    /dev/hda1 on /boot type ext3 (rw)
    /dev/hdb1 on /backup type ext3 (rw,usrquota)
    /usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
    /tmp on /var/tmp type none (rw,noexec,nosuid,bind)
    none on /dev/shm type tmpfs (rw,noexec,nosuid)

    # cat /etc/fstab |grep tmp
    none /dev/shm tmpfs noexec,nosuid 0 0
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    That usually means that there is a script in /tmp that's sending out email, possibly spam. You need to check all the files in /tmp and see if they are perl or php scripts. If you don't find anything, the file could still be open, but deleted. You can check for that with:

    lsof /tmp
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    156
    Thanks.... Looked in /tmp and found nothing.

    # lsof /tmp
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    mysqld 3202 mysql 6u REG 7,0 0 14 /tmp/ibyX8Ojk (deleted)
    mysqld 3202 mysql 7u REG 7,0 0 21 /tmp/ibWV7cv0 (deleted)
    mysqld 3202 mysql 8u REG 7,0 0 22 /tmp/ibq4IZIG (deleted)
    mysqld 3202 mysql 12u REG 7,0 0 23 /tmp/ibC3sLbn (deleted)
    httpd 5389 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    leechprot 6298 root 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23501 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23506 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23507 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23640 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23653 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 23762 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 25581 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 25584 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 28015 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)
    httpd 28260 nobody 4u REG 7,0 0 24 /tmp/ZCUDUPqfDQ (deleted)

    I wonder if it's Boxtrapper sending out the reply emails. I could be on the wrong path.
    My searching started when I saw the bandwidth go way up on a lightly used server. The only thing I've found is a named process running for 30-60 min. at a time. Never seen the name server run like that.

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    2795 named 24 0 6848 6508 2036 S 73.3 0.6 41:18 0 /usr/sbin/named -u named

    The %cpu is way up. Sometime around 99%
     
    #3 blairp36, Jan 10, 2007
    Last edited: Jan 10, 2007
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice