High load, webmaild processes i/O, big queue - discover cause
Hello,
i discovered my VPS has high load. Normal is 5.0, this was 43.0.
iostat -a returned there are several webmaild processes so it pointed me to mail issue direction. So i checked mailqueue and found alot of spam mails there going to various russian mailboxes.
When i examined whole mail headers thru mailqueue manager, i did not found which cpanel account sends it. So my question how i can find it?
WHM "
Email "
View Sent Summary
gives very good overview, it found that one account has:
successfull: 6
deferral: 21
failures: 894
i found in that account public_html directory there are various new folders with injected index.php content like:
[QUOTE]somecrapdomainhere.net/space.php?a=***&c=wl_iw&s=d***"); ?>
when i do stat of one of these injected index.php, it shows: [QUOTE]File: `/home/accname/public_html/is/index.php' Size: 83 Blocks: 8 IO Block: 4096 regular file Device: 9eh/158d Inode: 42861096 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 538/ accname) Gid: ( 546/ accname) Access: 2014-06-24 10:32:48.000000000 -0400 Modify: 2014-06-24 05:42:40.000000000 -0400 Change: 2014-06-24 05:42:40.000000000 -0400 root@host [~]# date Wed Jun 25 05:38:04 EDT 2014
Please any idea which commands to do to discover how this file was injected, so i can fix the hole? or which ip did this, which log file to examine by which commands? thanks alot
when i do stat of one of these injected index.php, it shows: [QUOTE]File: `/home/accname/public_html/is/index.php' Size: 83 Blocks: 8 IO Block: 4096 regular file Device: 9eh/158d Inode: 42861096 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 538/ accname) Gid: ( 546/ accname) Access: 2014-06-24 10:32:48.000000000 -0400 Modify: 2014-06-24 05:42:40.000000000 -0400 Change: 2014-06-24 05:42:40.000000000 -0400 root@host [~]# date Wed Jun 25 05:38:04 EDT 2014
Please any idea which commands to do to discover how this file was injected, so i can fix the hole? or which ip did this, which log file to examine by which commands? thanks alot
-
Hello :) I have moved this thread to the "Security" forum. You should receive more user-feedback here. You may also want to search the "Security" forum for the PHP script you are using (e.g. WordPress, Joomla). There are several results discussing how to handle attacks/exploits on these common PHP applications. Thank you. 0 -
Make sure that extended logging is enabled for exim. This will help you to get details about the mails being delivered. Also install malware detecton tools such as "maldet" so that you can check whether an account is infected or not. Secure your webserver using an effective mod_Sec rule sets too. 0
Please sign in to leave a comment.
Comments
2 comments