Hi, Symptoms: ssh client and https://host.tld:81 takes ages to log in. if ever! We cannot add / manage this server! Funny Processes running - Lots of spamassassin spanned! Pop3 [xinetd] seems ok so does smtp! Code: 6603 ? Ss 0:00 /usr/bin/procmail -f- 6613 ? Z 0:00 [sh] <defunct> 6627 ? S 0:00 /usr/bin/procmail -f- 6628 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6630 ? Ss 0:00 /usr/bin/procmail -f- 6632 ? Ss 0:00 /usr/bin/procmail -f- 6633 ? Z 0:00 [sh] <defunct> 6643 ? Z 0:00 [sh] <defunct> 6675 ? S 0:00 /usr/bin/procmail -f- 6676 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6677 ? S 0:00 /usr/bin/procmail -f- 6678 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6683 ? Ss 0:00 /usr/bin/procmail -f- 6691 ? Ss 0:00 /usr/bin/procmail -f- 6693 ? Z 0:00 [sh] <defunct> 6714 ? S 0:00 /bin/bash /etc/rc5.d/S92httpd start 6729 ? S 0:00 /usr/bin/procmail -f- 6730 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6740 ? Ss 0:00 /usr/bin/procmail -f- 6743 ? S 0:00 /usr/bin/procmail -f- 6744 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6749 ? Z 0:00 [sh] <defunct> 6887 ? Ss 0:00 /usr/bin/procmail -f- 6891 ? S 0:00 /usr/bin/procmail -f- 6892 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6895 ? Z 0:00 [sh] <defunct> 6901 ? S 0:00 initlog -q -c /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_S 6909 ? D 0:00 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_SUEXEC -DHAVE_A 6919 ? Ss 0:00 /usr/bin/procmail -f- 6925 ? S 0:00 /usr/bin/procmail -f- 6926 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6932 ? Ss 0:00 /usr/bin/procmail -f- 6938 ? Z 0:00 [sh] <defunct> 6941 ? S 0:00 /usr/bin/procmail -f- 6942 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 6957 ? Ss 0:00 /usr/bin/procmail -f- 6964 ? Ss 0:00 /usr/bin/procmail -f- 6966 ? Ss 0:00 /usr/bin/procmail -f- 6967 ? Ss 0:00 /usr/bin/procmail -f- 6987 ? Z 0:00 [sh] <defunct> 6998 ? Z 0:00 [sh] <defunct> 7004 ? S 0:00 /usr/bin/procmail -f- 7005 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7014 ? S 0:00 /usr/bin/procmail -f- 7015 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7019 ? S 0:00 /usr/bin/procmail -f- 7020 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7030 ? Ss 0:00 /usr/bin/procmail -f- 7031 ? Ss 0:00 /usr/bin/procmail -f- 7032 ? S 0:00 /usr/bin/procmail -f- 7033 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7034 ? S 0:00 /usr/bin/procmail -f- 7035 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7045 ? Z 0:00 [sh] <defunct> 7049 ? Z 0:00 [sh] <defunct> 7065 ? S 0:00 /usr/bin/procmail -f- 7066 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7067 ? S 0:00 /usr/bin/procmail -f- 7068 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7075 ? Ss 0:00 /usr/bin/procmail -f- 7077 ? Ss 0:00 /usr/bin/procmail -f- 7080 ? Z 0:00 [sh] <defunct> 7081 ? Z 0:00 [sh] <defunct> 7096 ? S 0:00 [pdflush] 7118 ? S 0:00 /usr/bin/procmail -f- 7119 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7120 ? S 0:00 /usr/bin/procmail -f- 7121 ? D 0:00 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7147 ? Ss 0:00 /usr/bin/procmail -f- 7158 ? Z 0:00 [sh] <defunct> 7164 ? Ss 0:00 /usr/bin/procmail -f- 7168 ? Z 0:00 [sh] <defunct> 7171 ? S 0:00 /usr/bin/procmail -f- 7172 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7181 ? S 0:00 /usr/bin/procmail -f- 7182 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7183 ? Ss 0:00 /usr/bin/procmail -f- 7189 ? Z 0:00 [sh] <defunct> 7209 ? S 0:00 /usr/bin/procmail -f- 7210 ? D 0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w 7258 ? S 0:00 /usr/sbin/advxsplitlogfile-DIET 7259 ? S 0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_ 7260 ? S 0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_ 7271 ? S 0:00 smtpd -n smtp -t inet -u
Are you being mail-bombed/hacked? The defunct sh sessions are probably stuck logins from you trying to log in. What is your load average?
My suspicion also, gime some pointers how to search for the source, so I can get them blocked upstream!
Yes It was an Mail DOS attack, the upstream provider closed the relavant IP's and we run Smooth again. The funny part is that they had the same on their servers and did not acnowledge the fact due to competition of them will missuse these facts to advertise against them.