gam_server??

Discussion in 'General' started by esezako, Jun 23, 2010.

  1. esezako

    esezako New Member

    Hi, emails users of ispconfig are used to send spam days ago.

    After change passwords of this users stop spam, but in top always appear this:

    Code:
    
      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                        
    11952 web26_au  20   0  2564 1136  984 S    0  0.0   0:00.00 gam_server                                                                                      
    11956 web26_ba  20   0  2564 1132  984 S    0  0.0   0:00.00 gam_server                                                                                      
    11974 web26_ba  20   0  3412 1024  836 S    0  0.0   0:00.12 imapd                                                                                           
    12065 web26_au  20   0  3412 1040  840 S    0  0.0   0:00.10 imapd           
    
    what is gam_server?
    is the server hacked?
     
  2. Mark_NL

    Mark_NL New Member

    From the website http://people.gnome.org/~veillard/gamin/
     
  3. esezako

    esezako New Member

    OK, and why always this users are in top output?
     
  4. Mark_NL

    Mark_NL New Member

    You can always see those in top, since it's a process that's running .. :/
     
  5. esezako

    esezako New Member

    minimun 2 days
     
  6. esezako

    esezako New Member

    i kill this process but this reappear
     
  7. Mark_NL

    Mark_NL New Member

    is it causing you problems then? You can just let it run ..
     
  8. esezako

    esezako New Member

    But only appear process for users of web26 (i have > 200 sites) and not finished never.

    Why?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    Is it maybe started by a cron job?
     
  10. esezako

    esezako New Member

    i think not.

    crontab -l

    Code:
    30 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/ftp_logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/mail_logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/cleanup.php &> /dev/null
    0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/webalizer.php &> /dev/null
    0,30 * * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/check_services.php &> /dev/null
    15 3,15 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/quota_msg.php &> /dev/null
    40 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/traffic.php &> /dev/null
    05 02 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/backup.php &> /dev/null
    0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/awstats.php &> /dev/null
    
    
     
  11. esezako

    esezako New Member

    any more ideas?
    i don't know why success this
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Did you check the cron directories inside /etc?
     
  13. esezako

    esezako New Member

    nothing in all crons
     
  14. falko

    falko Super Moderator ISPConfig Developer

    Do you have monit installed? Maybe it is restarted by monit.
     
  15. esezako

    esezako New Member

    I have not installed monit
     
  16. esezako

    esezako New Member

  17. falko

    falko Super Moderator ISPConfig Developer

    I'm running out of ideas... :(
     
  18. esezako

    esezako New Member

    But you think the server its hacked?
     
  19. falko

    falko Super Moderator ISPConfig Developer

    Not sure. Did you run rkhunter and chkrootkit?
     
  20. esezako

    esezako New Member

    Yes, and two pass ok
     

Share This Page