#1  
Old 23rd January 2007, 12:03
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 199
Thanks: 8
Thanked 15 Times in 7 Posts
Unhappy Out off Controll :(

Hi,
Symptoms:
  1. ssh client and https://host.tld:81 takes ages to log in. if ever! We cannot add / manage this server!
  2. Funny Processes running - Lots of spamassassin spanned!
  3. Pop3 [xinetd] seems ok so does smtp!

Code:
 6603 ?        Ss     0:00 /usr/bin/procmail -f-
 6613 ?        Z      0:00 [sh] <defunct>
 6627 ?        S      0:00 /usr/bin/procmail -f-
 6628 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6630 ?        Ss     0:00 /usr/bin/procmail -f-
 6632 ?        Ss     0:00 /usr/bin/procmail -f-
 6633 ?        Z      0:00 [sh] <defunct>
 6643 ?        Z      0:00 [sh] <defunct>
 6675 ?        S      0:00 /usr/bin/procmail -f-
 6676 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6677 ?        S      0:00 /usr/bin/procmail -f-
 6678 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6683 ?        Ss     0:00 /usr/bin/procmail -f-
 6691 ?        Ss     0:00 /usr/bin/procmail -f-
 6693 ?        Z      0:00 [sh] <defunct>
 6714 ?        S      0:00 /bin/bash /etc/rc5.d/S92httpd start
 6729 ?        S      0:00 /usr/bin/procmail -f-
 6730 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6740 ?        Ss     0:00 /usr/bin/procmail -f-
 6743 ?        S      0:00 /usr/bin/procmail -f-
 6744 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6749 ?        Z      0:00 [sh] <defunct>
 6887 ?        Ss     0:00 /usr/bin/procmail -f-
 6891 ?        S      0:00 /usr/bin/procmail -f-
 6892 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6895 ?        Z      0:00 [sh] <defunct>
 6901 ?        S      0:00 initlog -q -c /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_S
 6909 ?        D      0:00 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_SUEXEC -DHAVE_A
 6919 ?        Ss     0:00 /usr/bin/procmail -f-
 6925 ?        S      0:00 /usr/bin/procmail -f-
 6926 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6932 ?        Ss     0:00 /usr/bin/procmail -f-
 6938 ?        Z      0:00 [sh] <defunct>
 6941 ?        S      0:00 /usr/bin/procmail -f-
 6942 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6957 ?        Ss     0:00 /usr/bin/procmail -f-
 6964 ?        Ss     0:00 /usr/bin/procmail -f-
 6966 ?        Ss     0:00 /usr/bin/procmail -f-
 6967 ?        Ss     0:00 /usr/bin/procmail -f-
 6987 ?        Z      0:00 [sh] <defunct>
 6998 ?        Z      0:00 [sh] <defunct>
 7004 ?        S      0:00 /usr/bin/procmail -f-
 7005 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7014 ?        S      0:00 /usr/bin/procmail -f-
 7015 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7019 ?        S      0:00 /usr/bin/procmail -f-
 7020 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7030 ?        Ss     0:00 /usr/bin/procmail -f-
 7031 ?        Ss     0:00 /usr/bin/procmail -f-
 7032 ?        S      0:00 /usr/bin/procmail -f-
 7033 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7034 ?        S      0:00 /usr/bin/procmail -f-
 7035 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7045 ?        Z      0:00 [sh] <defunct>
 7049 ?        Z      0:00 [sh] <defunct>
 7065 ?        S      0:00 /usr/bin/procmail -f-
 7066 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7067 ?        S      0:00 /usr/bin/procmail -f-
 7068 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7075 ?        Ss     0:00 /usr/bin/procmail -f-
 7077 ?        Ss     0:00 /usr/bin/procmail -f-
 7080 ?        Z      0:00 [sh] <defunct>
 7081 ?        Z      0:00 [sh] <defunct>
 7096 ?        S      0:00 [pdflush]
 7118 ?        S      0:00 /usr/bin/procmail -f-
 7119 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7120 ?        S      0:00 /usr/bin/procmail -f-
 7121 ?        D      0:00 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7147 ?        Ss     0:00 /usr/bin/procmail -f-
 7158 ?        Z      0:00 [sh] <defunct>
 7164 ?        Ss     0:00 /usr/bin/procmail -f-
 7168 ?        Z      0:00 [sh] <defunct>
 7171 ?        S      0:00 /usr/bin/procmail -f-
 7172 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7181 ?        S      0:00 /usr/bin/procmail -f-
 7182 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7183 ?        Ss     0:00 /usr/bin/procmail -f-
 7189 ?        Z      0:00 [sh] <defunct>
 7209 ?        S      0:00 /usr/bin/procmail -f-
 7210 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7258 ?        S      0:00 /usr/sbin/advxsplitlogfile-DIET
 7259 ?        S      0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_
 7260 ?        S      0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_
 7271 ?        S      0:00 smtpd -n smtp -t inet -u
Reply With Quote
Sponsored Links
  #2  
Old 23rd January 2007, 18:20
mlz mlz is offline
Senior Member
 
Join Date: Dec 2006
Posts: 189
Thanks: 16
Thanked 9 Times in 9 Posts
Default

Are you being mail-bombed/hacked? The defunct sh sessions are probably stuck logins from you trying to log in. What is your load average?
Reply With Quote
  #3  
Old 24th January 2007, 09:05
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 199
Thanks: 8
Thanked 15 Times in 7 Posts
Default

My suspicion also, gime some pointers how to search for the source, so I can get them blocked upstream!
Reply With Quote
  #4  
Old 24th January 2007, 10:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

Login with SSH, stop postfix and then inspect the mail logfile where these mails are coming from.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 24th January 2007, 13:25
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 199
Thanks: 8
Thanked 15 Times in 7 Posts
 
Default

Yes It was an Mail DOS attack, the upstream provider closed the relavant IP's and we run Smooth again. The funny part is that they had the same on their servers and did not acnowledge the fact due to competition of them will missuse these facts to advertise against them.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.