ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Exim issue

https://mail.forum.configserver.com/viewtopic.php?t=7560

Page 1 of 1

Exim issue

Posted: 02 Mar 2014, 13:17
by DrAlani
Hi,
This is my first post here so bear with me please.
For the past two days, I have been receiving 4 emails repetitively:
Mail 1:
Suspicious Process running under user exim

Code: Select all

Account: exim
Uptime:  610633 seconds


Executable:

/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -bd -q1h


Network connections by the process (if any):

tcp: 127.0.0.1:25 -> 0.0.0.0:0
tcp: 127.0.0.1:465 -> 0.0.0.0:0
tcp: 127.0.0.1:587 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
Mail2:
Suspicious process running under user mysql

Code: Select all

Account: mysql
Uptime:  190691 seconds


Executable:

/usr/libexec/mysqld


Command Line (often faked in exploits):

/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock


Network connections by the process (if any):

tcp: 0.0.0.0:3306 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/var/log/mysqld.log
/var/log/mysqld.log
/var/lib/mysql/ibdata1
/tmp/ibPvy70e (deleted)
/tmp/ibaeef3h (deleted)
/tmp/ib7Zbn5k (deleted)
/tmp/ibBs4oAr (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/ibESBrjx (deleted)
/var/lib/mysql/mysql/host.MYI
/var/lib/mysql/mysql/host.MYD
/var/lib/mysql/mysql/user.MYI
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/db.MYI
/var/lib/mysql/mysql/db.MYD
/var/lib/mysql/mysql/proxies_priv.MYI
/var/lib/mysql/mysql/proxies_priv.MYD
/var/lib/mysql/mysql/tables_priv.MYI
/var/lib/mysql/mysql/tables_priv.MYD
/var/lib/mysql/mysql/columns_priv.MYI
/var/lib/mysql/mysql/columns_priv.MYD
/var/lib/mysql/mysql/procs_priv.MYI
/var/lib/mysql/mysql/procs_priv.MYD
/var/lib/mysql/mysql/servers.MYI
/var/lib/mysql/mysql/servers.MYD
/var/lib/mysql/mysql/event.MYI
/var/lib/mysql/mysql/event.MYD

Mail3:
Excessive resource usage: exim (1129 (Parent PID:1129))

Code: Select all

Account:      exim
Resource:     Process Time
Exceeded:     610633 > 1800 (seconds)
Executable:   /usr/sbin/exim
Command Line: /usr/sbin/exim -bd -q1h
PID:          1129 (Parent PID:1129)
Killed:       No
Mail4:
Excessive resource usage: mysql (469 (Parent PID:32716))

Code: Select all

Account:      mysql
Resource:     Process Time
Exceeded:     190691 > 1800 (seconds)
Executable:   /usr/libexec/mysqld
Command Line: /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
PID:          469 (Parent PID:32716)
Killed:       No
I have looked up around the web and could not find out what exactly is going on and how to remedy this. The answer might be obvious to someone here.

Re: Exim issue

Posted: 03 Mar 2014, 01:50
by Sergio
Check CSF.PIGNORE if some of the following lines are missing add them:

exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/mysqld

Sergio

Re: Exim issue

Posted: 03 Mar 2014, 02:38
by DrAlani
Thanks for the reply Sergio.
By this answer you are suggesting that there is no issue and I should just ignore these notifications?
Why did I start receiving them now?
I have been using the same server with the same configuration for over a year. What triggered it now?

Re: Exim issue

Posted: 03 Mar 2014, 05:29
by DrAlani
I have checked and
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
are already there.
I add the missing:
exe:/usr/libexec/mysqld

And waiting to see if this solved it.

Re: Exim issue

Posted: 03 Mar 2014, 07:18
by DrAlani
Still getting the messages despite the fact that the processes are in the csf.pignore :(

Re: Exim issue

Posted: 03 Mar 2014, 12:55
by Sergio
The notifications that you are receiving are triggered by LFD when a process is taking more time than what you have defined. Adding them to CSF.PIGNORE is for CSF to know that the processes are ok to be ignored.

After any changes to the CSF.PIGNORE you need to restart LFD.

In my CSF.PIGNORE, I have the following users as well:
user:csf
user:mailnull
user:mysql

Why it started now, I really can't tell. Did you do any modifications to CSF configuration lately?

Re: Exim issue

Posted: 03 Mar 2014, 13:14
by DrAlani
Thanks again for the reply Sergio.
I add the users and I'm currently waiting to see if it worked.

Actually it is not knowing the reason behind the sudden start of this is what got me worried in the first place.
And answering your question, no, I did not change any settings recently I just updated it to the latest version.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited