Server load problem
Using RHEL 6-x86_64.
No sendmail enable or no any other MTA started. But mailq is generating highly.As my view this server is hacked. Thing is how to troubleshoot this. |
Quote:
And how many unprocessed entries does /var/spool/mqueue/ actually hold? Have you run Logwatch on /var/log/maillog (as in 'logwatch --detail high --logfile maillog')? And if you say no MTA is enabled does that mean no MTA is running? Is there anything else to say about the propose of this machine? Is it a mail or a web server? Are there processes consuming lots of cpu ('\ps ax -eopcpu,pid,args --sort=pcpu|grep -v "^[[:blank:]]\{1,3\}0\.0";')? Is there an excessive amount of MTA-related traffic ('lsof -Pwln -i tcp:25 -a -i tcp:587')? Quote:
|
No mail servers running and this is web server.Generated huge mail queue. But it can not relay through the server.How can this happen?
|
Quote:
Quote:
- What list of measures have you tried since this started? - What output does 'mailq -v' show? Attach its output as plain text file. - How many unprocessed entries are there in /var/spool/mqueue/ and does this still increase? - Do run Logwatch on the mail and web server log files and attach its output as plain text file. - If you say no MTA is running does that mean the MTA was stopped to mitigate the situation or does the machine run without an MTA? - What (web log, forum software, photo gallery, statistics package, shopping cart or other) software runs on top of the web server (names and versions) and are they all the latest version (including any plugins if any)? - How many virtual hosts does the web server provide? - How can users access their web content? Only via HTTP(S) or also by SSH or FTP? - What hardening measures (firewall, mod_evasive, mod_bandwidth, mod_security) and restrictions (.htaccess, php.ini, etc) does the system have right now? - Is there an excessive amount of HTTP-related traffic ('lsof -Pwln -i tcp:80')? - Are there processes consuming lots of cpu ('\ps ax -eopcpu,pid,args --sort=pcpu|grep -v "^[[:blank:]]\{1,3\}0\.0";')? - Are there files in /tmp, /var/tmp, /var/www and user home directories that look have ownership, access rights and time stamps that seem out of place or could be linked to the start of this situation? - Have you run Linux Malware Detect, ClamAV or other applications on the contents of /tmp, /var/tmp, /var/www and user home directories? |
All times are GMT -5. The time now is 12:18 AM. |