The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server Busy - IS EXIM HACKED ?

Discussion in 'General Discussion' started by mahdionline, Feb 24, 2006.

  1. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    Hi
    our server from 3 day ago become very busy. I see in whm that exim -q is the top(heavy) process in system.

    I think someone use our mail server to send mail or . . . :confused:

    I shutdown EXIM by service Exim stop command but after a few time i see exim started. then I rename the usr/sbin/exim , and see returned to normal situation.

    What should i do for this problem ? Is this a DOS attack ?

    Regard
     
  2. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Probably a script was compromised, have a look at the logs it will tell you where the mail is coming from.
     
  3. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    How can i detect and find this script and it's owner (Account) ?

    Regard
     
  4. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    tail -f /var/log/exim_mainlog

    or if you know what the spam is

    grep spam /var/log/exim_mainlog

    or higher a system admin.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. Enabling some extended exim logging might help you track down the offending script if they're coming from the nobody account.
     
Loading...

Share This Page