Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

server Busy - IS EXIM HACKED ?

Discussion in 'General Discussion' started by mahdionline, Feb 24, 2006.

  1. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    166
    Hi
    our server from 3 day ago become very busy. I see in whm that exim -q is the top(heavy) process in system.

    I think someone use our mail server to send mail or . . . :confused:

    I shutdown EXIM by service Exim stop command but after a few time i see exim started. then I rename the usr/sbin/exim , and see returned to normal situation.

    What should i do for this problem ? Is this a DOS attack ?

    Regard
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    166
    Probably a script was compromised, have a look at the logs it will tell you where the mail is coming from.
     
  3. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    166
    How can i detect and find this script and it's owner (Account) ?

    Regard
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    166
    tail -f /var/log/exim_mainlog

    or if you know what the spam is

    grep spam /var/log/exim_mainlog

    or higher a system admin.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Yup. Enabling some extended exim logging might help you track down the offending script if they're coming from the nobody account.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice