Out off Controll :(

Discussion in 'Tips/Tricks/Mods' started by Morons, Jan 23, 2007.

  1. Morons

    Morons Member

    Hi, :(
    Symptoms:
    1. ssh client and https://host.tld:81 takes ages to log in. if ever! We cannot add / manage this server!
    2. Funny Processes running - Lots of spamassassin spanned!
    3. Pop3 [xinetd] seems ok so does smtp!

    Code:
     6603 ?        Ss     0:00 /usr/bin/procmail -f-
 6613 ?        Z      0:00 [sh] <defunct>
 6627 ?        S      0:00 /usr/bin/procmail -f-
 6628 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6630 ?        Ss     0:00 /usr/bin/procmail -f-
 6632 ?        Ss     0:00 /usr/bin/procmail -f-
 6633 ?        Z      0:00 [sh] <defunct>
 6643 ?        Z      0:00 [sh] <defunct>
 6675 ?        S      0:00 /usr/bin/procmail -f-
 6676 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6677 ?        S      0:00 /usr/bin/procmail -f-
 6678 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6683 ?        Ss     0:00 /usr/bin/procmail -f-
 6691 ?        Ss     0:00 /usr/bin/procmail -f-
 6693 ?        Z      0:00 [sh] <defunct>
 6714 ?        S      0:00 /bin/bash /etc/rc5.d/S92httpd start
 6729 ?        S      0:00 /usr/bin/procmail -f-
 6730 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6740 ?        Ss     0:00 /usr/bin/procmail -f-
 6743 ?        S      0:00 /usr/bin/procmail -f-
 6744 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6749 ?        Z      0:00 [sh] <defunct>
 6887 ?        Ss     0:00 /usr/bin/procmail -f-
 6891 ?        S      0:00 /usr/bin/procmail -f-
 6892 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6895 ?        Z      0:00 [sh] <defunct>
 6901 ?        S      0:00 initlog -q -c /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_S
 6909 ?        D      0:00 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_SSL -DHAVE_SUEXEC -DHAVE_A
 6919 ?        Ss     0:00 /usr/bin/procmail -f-
 6925 ?        S      0:00 /usr/bin/procmail -f-
 6926 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6932 ?        Ss     0:00 /usr/bin/procmail -f-
 6938 ?        Z      0:00 [sh] <defunct>
 6941 ?        S      0:00 /usr/bin/procmail -f-
 6942 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 6957 ?        Ss     0:00 /usr/bin/procmail -f-
 6964 ?        Ss     0:00 /usr/bin/procmail -f-
 6966 ?        Ss     0:00 /usr/bin/procmail -f-
 6967 ?        Ss     0:00 /usr/bin/procmail -f-
 6987 ?        Z      0:00 [sh] <defunct>
 6998 ?        Z      0:00 [sh] <defunct>
 7004 ?        S      0:00 /usr/bin/procmail -f-
 7005 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7014 ?        S      0:00 /usr/bin/procmail -f-
 7015 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7019 ?        S      0:00 /usr/bin/procmail -f-
 7020 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7030 ?        Ss     0:00 /usr/bin/procmail -f-
 7031 ?        Ss     0:00 /usr/bin/procmail -f-
 7032 ?        S      0:00 /usr/bin/procmail -f-
 7033 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7034 ?        S      0:00 /usr/bin/procmail -f-
 7035 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7045 ?        Z      0:00 [sh] <defunct>
 7049 ?        Z      0:00 [sh] <defunct>
 7065 ?        S      0:00 /usr/bin/procmail -f-
 7066 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7067 ?        S      0:00 /usr/bin/procmail -f-
 7068 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7075 ?        Ss     0:00 /usr/bin/procmail -f-
 7077 ?        Ss     0:00 /usr/bin/procmail -f-
 7080 ?        Z      0:00 [sh] <defunct>
 7081 ?        Z      0:00 [sh] <defunct>
 7096 ?        S      0:00 [pdflush]
 7118 ?        S      0:00 /usr/bin/procmail -f-
 7119 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7120 ?        S      0:00 /usr/bin/procmail -f-
 7121 ?        D      0:00 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7147 ?        Ss     0:00 /usr/bin/procmail -f-
 7158 ?        Z      0:00 [sh] <defunct>
 7164 ?        Ss     0:00 /usr/bin/procmail -f-
 7168 ?        Z      0:00 [sh] <defunct>
 7171 ?        S      0:00 /usr/bin/procmail -f-
 7172 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7181 ?        S      0:00 /usr/bin/procmail -f-
 7182 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7183 ?        Ss     0:00 /usr/bin/procmail -f-
 7189 ?        Z      0:00 [sh] <defunct>
 7209 ?        S      0:00 /usr/bin/procmail -f-
 7210 ?        D      0:01 /usr/bin/perl5.8.7 -T -w /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --prefs-file=/var/w
 7258 ?        S      0:00 /usr/sbin/advxsplitlogfile-DIET
 7259 ?        S      0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_
 7260 ?        S      0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_
 7271 ?        S      0:00 smtpd -n smtp -t inet -u
     
    Morons, Jan 23, 2007
    #1
  2. mlz

    mlz Member

    Are you being mail-bombed/hacked? The defunct sh sessions are probably stuck logins from you trying to log in. What is your load average?
     
    mlz, Jan 23, 2007
    #2
  3. Morons

    Morons Member

    My suspicion also, gime some pointers how to search for the source, so I can get them blocked upstream!
     
    Morons, Jan 24, 2007
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Login with SSH, stop postfix and then inspect the mail logfile where these mails are coming from.
     
    till, Jan 24, 2007
    #4
  5. Morons

    Morons Member

    Yes It was an Mail DOS attack, the upstream provider closed the relavant IP's and we run Smooth again. The funny part is that they had the same on their servers and did not acnowledge the fact due to competition of them will missuse these facts to advertise against them.
     
    Morons, Jan 24, 2007
    #5

Share This Page