Results 1 to 4 of 4
  1. #1

    Locating nobody user that is possibly spamming

    First of all I would like to apologise if the solution is on this board somewhere, i did search for 15 mins but I couldnt locate it, if you can point me to the thread then I would appreciate it.

    On to the problem, running a top comes up with something like this:

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    2851 nobody 25 0 3128 3128 1520 R 38.8 0.1 15:32 1 perl
    9093 nobody 19 0 38648 37M 6808 R 5.4 1.8 0:00 0 httpd
    8322 root 39 19 14444 14M 1740 D N 3.3 0.7 36:31 1 cpanellogd
    6567 nobody 16 0 41860 40M 11712 R 1.1 2.0 0:03 0 httpd
    3709 gwbaker 15 0 25292 24M 2164 D 0.4 1.2 0:24 0 spamd
    8190 nobody 15 0 38752 37M 8452 R 0.1 1.8 0:00 1 httpd

    The first perl process is the concern here. If i run top -ci it shows the perl process as "sendmail: accepting connections"

    now i have tried kill -9 2815 which kills the process, but only for it to start up again instantly. This process is using a lot of cpu and I must admit I am quite inexperienced but since its using sendmail i am assuming it is something to do with a user spamming. because however it shows the user as nobody I cannot suspend their account and its causing a high load on our server. I would appreciate if anyone could help me as to tracking down what user it is, either by checking mail logs somewhere(?) or by finding out which user is running this perl script.

    Any help is very gratefully appreciated

  2. #2
    Join Date
    Apr 2002
    Posts
    1,789
    Doing a:

    cat /proc/2851/environ

    might give some details on where the script is located at (where 2851 is the PID of the perl script).

    You might also try:

    ps auxfwge

    and find the 2851 process and see if it is branched from anything significant.

  3. #3
    Thankyou for the help, I managed to kill the process and it doesnt seem to have started back up, i'm sure it will though, and when it does i'll be ready

  4. #4
    You should take a closer look and find out what exactly is that process as it might not be what you are thinking, your box might be compromised, i'm saying it just because it is showing as perl, as it might be some perl script being run as user nobody, after hacking apache/php

    Regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •