Web Hosting Talk






PDA

View Full Version : my server is hacked/flooded, please help

beniceman
08-14-2004, 11:29 AM
hi, currently the server load is 32.74/4 whereas normally it's only ~3 or 4.

When I check the current CPU usage, it shows tons of processes:

29045 mailnull 0 0.0 0.0 2 exim
29991 mailnull 0 0.0 0.0 0 exim
29992 mailnull 0 0.0 0.0 3 exim
30268 mailnull 0 0.0 0.0 3 exim
30279 mailnull 0 0.0 0.0 2 exim
30281 mailnull 0 0.0 0.0 2 exim
30294 mailnull 0 0.0 0.0 0 exim
30316 mailnull 0 0.0 0.0 1 exim
30320 mailnull 0 0.0 0.0 3 exim
30327 mailnull 0 0.0 0.0 1 exim
30334 mailnull 0 0.0 0.0 1 exim
30337 mailnull 0 0.0 0.0 2 exim
30430 mailnull 0 0.0 0.0 2 exim
30447 mailnull 0 0.0 0.0 2 exim
30542 mailnull 0 0.0 0.0 0 exim
30679 mailnull 0 0.0 0.0 1 exim
30684 mailnull 0 0.0 0.0 2 exim
30685 mailnull 0 0.0 0.0 1 exim
30688 mailnull 0 0.0 0.0 3 exim
....
....

I tried to kill them all but no help, after like 5 seconds they're all back. Look like they are executed by a CRON.

please help me how to trace down the cron and how to fix it

thanks a lot
Techark
08-14-2004, 11:37 AM
SSH in type

chkservd stop

killall -9 exim

service exim stop

go check your mail queue, exim_mainlog, access_log and suexec_log to track down your spammer and then terminate them.

Then ssh and type

service exim restart
chkservd start
RaviSharma
08-14-2004, 12:05 PM
let me guess, your server is hosted at theplanet/servermatrix?
cDedicated.com
08-14-2004, 12:30 PM
I would suggest you to try soft reboot to the server and see if it get fixed ,also , try review your logs and see for some "bad" things , possibly some customers uploaded some script which load the cpu, also try contact your DATACENTER for "on hand support" DCs techs know how to get this things fixed asap....they do it all the time :)
Steven
08-14-2004, 01:19 PM
Do you host any large forums? A mass mail will do that to a server.
beniceman
08-14-2004, 04:40 PM
hi,

i followed your guide and did

chkservd stop

killall -9 exim

service exim stop

but exim is still running

any idea?

please help
beniceman
08-14-2004, 04:43 PM
root@aquarious [~]# service exim stop
Shutting down exim: [FAILED]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Techark
08-14-2004, 08:49 PM
Reboot and then check your logs for kernel errors you could have some bad mem or hardware that the processes have bound to and will not die.
cannibal
08-15-2004, 03:45 AM
I think one of your clients spaming
check mail queue from your WHM

then search for php file like mail.php or mail1.php on your clients dir's

you will find one of them spammer !! then terminate his account.
overulehost
08-15-2004, 07:05 AM
well, try to reboot your server.... or contact someone to do it