Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Spam??

[Pluto]

I am getting tones of line when I check the "top" command?
Anyone know how to check who is doing this??

11572 root 9 0 2304 2304 2024 S 2.2 0.1 0:00 /usr/sbin/exim -bd -q1h

[jucebro]

Try doing a 'ps fax' at the command prompt. this will give you a tree view so you can see what process started this. For example, here is a 'ps fax' snip from my current ssh session:

352 ? S 0:15 sshd
5678 ? S 0:00 \_ sshd
5679 pts/0 S 0:00 \_ -bash
5693 pts/0 S 0:00 \_ su
5713 pts/0 S 0:00 \_ sh
6928 pts/0 R 0:00 \_ ps fax

So If you were looking for who was running the 'ps fax' command, you can just fallow the tree to the top.

'ps faux' will show you the user too:

root 352 0.0 0.1 2100 268 ? S Oct11 0:15 sshd
root 5678 0.0 0.9 2988 1496 ? S 09:07 0:00 \_ sshd
admin 5679 0.0 0.5 1696 936 pts/0 S 09:07 0:00 \_ -bash
root 5693 0.0 0.5 2088 936 pts/0 S 09:07 0:00 \_ su
root 5713 0.0 0.6 1748 988 pts/0 S 09:07 0:00 \_ sh
root 7047 0.0 0.4 2344 696 pts/0 R 09:32 0:00 \_ ps faux

Your process bellow is being run as root. So either someone logged in as root started it, or a service you have running as root started it, such as crond.

[Pluto]

Anyone know how to make sure sendmail relay is closed?

[jucebro]

I use Sam Spade. It has an SMTP relay check:

http://samspade.org/ssw/

[comphost]

Simply starting it with just -bd
and relay is not activatd... you also can make a relay-domains
file with allowed hosts if using it

[mahinder]

when people run script for spaming it runs as
user nobody.

so you can tran the process nobody and see his pid and kill it with pid id.

kill -9 <pid id>

you may also consider killing all nobody pidds with this command

kill -9 `ps aux | awk '{if($1 == "nobody") print $2}'`

then goto

/var/log

and see your sendmail.log file
pico sendmail.log

and see who is spaming (you will continues entries with same pid) that user is spaming. then bust him like bush did to taliban

spamer