Anyone Good With Linux Servers?

[sotal]

One of my old linux webservers is playing up.

This is what I have gathered so far:

Qmail-send is running all the time - alot higher than usual

the mail logs are empty

the secure logs are full of xinetd starting SMTP from a remote address

Sorry I know this is a car forum, but after 6 hours of staring at a Shell and starting to think I'm completely retarded - I'm getting desperate!

[scionic]

My flat mate is good with Linux, but I think he just joined TOC to flick me crap for fun. I'll see if I can get him to post on here with some help for you though.

[sotal]

cheers, starting to get a head ache now!

[Matthew_McNally]

you are not an open relay are you?

[scionic]

OK, Skeeva says it sounds like something fishy is going on. Drop the route to that remote IP address if it's not an IP that you know.

[sotal]

Matt - No it's not an open relay

scionic - it seems to be lots of different addresses rather than just one

if I stop the xinetd service then it carries on with a server load of about 3.00, if I stop the qmail service then the server load instantly drops to about 0.20 which is what it usually is.

If I execute "top" then qmail-send is at the top and varies between 1% and 6% cpu load all the time.

The entries in the secure log are only showing at about 2 per minute which doesn't seem enough to get the server load up???

[knowlson]

PM me the external address if you like dude I can do a penertration test on the server.... awaits the jokes

[Matthew_McNally]

if I stop the xinetd service then it carries on with a server load of about 3.00, if I stop the qmail service then the server load instantly drops to about 0.20 which is what it usually is.

If I execute "top" then qmail-send is at the top and varies between 1% and 6% cpu load all the time.

The entries in the secure log are only showing at about 2 per minute which doesn't seem enough to get the server load up???

←

so- the problem is qmail - not xinetd.

when you restart qmail - the load shoots up again?

[sotal]

OK from what I can figure,

It should be logging in the secure log as it is because xinetd is setup to handle smtp - so that's ok

The amount of messages been logged doesn't seem extraordinarily high, but I would say it was higher than expected on this machine

So I'm still stumped as to why qmail-send is hogging so much cpu and making the server load go high

[sotal]

Matt - Yes the problem seems to be with qmail and yes the load shoots straight back up again when I start qmail back up again.

Very odd

[sotal]

The queue currently has 5 messages in it, but 5 are not yet preproccesed.

Which seems strange - for the last hour or so atleast the 1st number changes and has gone down to 2 at one point, but the number or not yet preproccessed ones has been 5 all the time:

# ./qmail-qstat
messages in queue: 5
messages in queue but not yet preprocessed: 5

[Matthew_McNally]

whats running on it?

[sotal]

After spending all day (well since 10am) on this I think I may have found what it was.

Somehow a load of bounce emails had accumulated and were bouncing backwards and forwards in a never ending cycle.

I'm not entirely sure it is sorted 100% as it seems strange that, that many emails got bounced. So it could well be that an exploit is being used to send mail from my server (at 2/minute or whatever) and these are all the bounces which are coming back.

Since deleting the all the bounce files the server load has dropped to about 0.17 which is good.

Well I'll spend a bit of time looking for a way that somebody is sending mail. Any ideas would be gratefully appreciated,

thanks

[+Steve]

do a search on your machine for "formmail" or "FormMail"

spammers will send mail through your server using these scripts as the formmail script has a huge security hole.

[sotal]

Cheers Steve, but already checked! No formmail files anywhere!

[+Steve]

is it a private server or hosting other websites??

[+Steve]

also try linuxquestions.org mate

[Robie]

PHPNuke has an exploit in the mail systems if you are running any phpnuke sites on it

[sotal]

Sorry for the slow replies.

It is a semi-private server, I vet which sites are allowed on etc and check them for exploits.

There is 2 nuke sites, both with the webmail module removed and kept up-do-date along with the sentinel secuirty tools for nuke.

I haven't had any more strange server load and everything looks OK. I have rerouted the bounce messages to my gmail account and they go straight into the spam box on there, and there is only 5. I think maybe they had just been gathering?? There was 2.5Gig of them though!

@knowlson - did you ever manage to send me that report? I never received it - no hurry though!

[knowlson]

@knowlson - did you ever manage to send me that report? I never received it - no hurry though!

←

Sent now dude ;)