[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SV: [cobalt-security] - too many sendmail processes

Subject: RE: SV: [cobalt-security] - too many sendmail processes
From: "malcolm wild" <cobaltsec@xxxxxxxxxxx>
Date: Fri, 28 Sep 2001 18:16:37 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

to see the basic header details look in /var/log/maillog
If you want to see the full contents of any network traffic you can us
tcpdump
that writes ALL the tcp/ip traffic to a log file. Its worth reading up on
the functions of tcpdump before using it (obvious!)
but if you don't switch it off it make a very big log file!

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of njd 76
Sent: 28 September 2001 16:04
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: SV: [cobalt-security] - too many sendmail processes



Something is going on...The list goes on and on I would say there are about
50 sendmail processes. Here is my setup

Maximum Message Size (MB) [5]
Smart Relay Host Name [BLANK]
Relay for the following Hosts/Domains [IPs,Domain names on BOX]
Host/Domain Aliases [all www.domain.com on BOX]
Reject the following Users/Hosts/Domains [Blank]
POP Before SMTP Relaying [ON]
Relay Window (minutes) [15]


When i run ps aux the processes with send mail all look like this.
root      3013  0.0  1.3  2896 1772 ?        S    10:22   0:00 sendmail:
q2/f8SE

Anymore ideas...

Malcolm- You said I can look in the outgoing mail to see what it is, where
is the directory?



>From: "Malcolm Wild" <cobaltsec@xxxxxxxxxxx>
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Subject: RE: SV: [cobalt-security] - too many sendmail processes
>Date: Tue, 25 Sep 2001 17:10:06 +0100
>
>type
>ps aux
>this will show what started the process e.g. script, program, etc
>it'll give you an indication of what is using sendmail
>I'd also suggest having a look in the outgoing mail to see what it contains
>
>
>if you don't like it kill it
>kill PID#
>
>that'll give you some pointers for more info on howtos just post back
>
>-----Original Message-----
>From: cobalt-security-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of njd 76
>Sent: 25 September 2001 16:14
>To: cobalt-security@xxxxxxxxxxxxxxx
>Subject: Re: SV: [cobalt-security] - too many sendmail processes
>
>
>
>I am fairly new to the security world but i installed chkrootkit on one of
>my cobalts and have found it to be a great way to keep on top of the log
>files. My problem however is after I installed it I noticed when I ran top
>the following was in the list: (not sure if chkrootkit has anything to do
>with this)
>
>1911 root     0   0  1660 1660  1388 S       0  0.0  1.2   0:00 sendmail
>1912 root     0   0  1768 1768  1336 S       0  0.0  1.3   0:00 sendmail
>2000 root     0   0  1660 1660  1384 S       0  0.0  1.2   0:00 sendmail
>2001 root     0   0  1820 1820  1344 S       0  0.0  1.4   0:00 sendmail
>2108 root     0   0  1660 1660  1388 S       0  0.0  1.2   0:00 sendmail
>2111 root     0   0  1768 1768  1336 S       0  0.0  1.3   0:00 sendmail
>2174 root     0   0  1660 1660  1388 S       0  0.0  1.2   0:00 sendmail
>2175 root     0   0  1776 1776  1340 S       0  0.0  1.3   0:00 sendmail
>2224 root     0   0  1660 1660  1384 S       0  0.0  1.2   0:00 sendmail
>2225 root     0   0  1820 1820  1344 S       0  0.0  1.4   0:00 sendmail
>2246 root     0   0  1660 1660  1388 S       0  0.0  1.2   0:00 sendmail
>2248 root     0   0  1776 1776  1340 S       0  0.0  1.3   0:00 sendmail
>etc....
>
>Any idea on what is causing this or what is going on? Is there a way to
>kill
>these or is it ok to have them running? I have about 15 sites on this
>server.
>
>Hope you guys can help.
>
>Cheers,
>Nick Damoulakis
>
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- RE: SV: [cobalt-security] - too many sendmail processes
  - From: njd 76

Prev by Date: RE: SV: [cobalt-security] - too many sendmail processes
Next by Date: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
Previous by thread: RE: SV: [cobalt-security] - too many sendmail processes
Next by thread: [cobalt-security] Squid Mkdir-only PUT Requests Denial of Service Attack

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index