High load - lots of "sendmail" commands

[alwaysbusy]

Hi.

On one of my servers, the server has been dramatically increasing over the last weeks and i have no clue why.
When i look into the "process monitor" i find a lot of commans which taking much cpu ressources every time with a command, named "sendmail". - see Picture.

For information: i only blanked out the user-/domainname.

All this sites have are wordpress sites, have no option that users can register or send mail. The only thing which 90% of this sites have enabled, is a commentar field below the article. Is this maybe getting botted? Because one of this sites has sent 280 emails (as directadmin shows it) and there would be no other option to send mails, only if the commentar field would send maybe a mail ...

Normally we had server load around 2, now its increasing to 5-6 :-/

Hope someone can help.

Thanks & Greets

 

[apogee]

looks like spam shipping, check /home/username/.php/php-mail.log

 

[alwaysbusy]

thanks. will look into the mentioned log file.

 

[alwaysbusy]

The php mail log file is empty :-/, but my technician said, that they found something suspicious, like that a cronjob had been activated under that user, which is always traying to send some suspicious mails... We will look into it.

 

[ikkeben]

CVE-2022-0439 : The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not corre

CVE-2022-0439 : The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_re

www.cvedetails.com

 

[alwaysbusy]

Thank you. We looked into it, but beside the "admin" there are no other users on that blog. Comment function is enabled and that cron is running every few seconds... But i see that also on an other wordpress site, from time 2 time the "mail" process is running, altough there are no comments enabled. I have no clue what it is... Most i see this process on sites with enabled comment function and only a few times on wp sites with disabled comment function...

What i know for sure, that it has to do something with wordpress, because its only on wordpress sites.

Greets

 

[Richard G]

Where did you specify that php-mail log, because if you specify this in the php.ini then it might only be workign for 1 user.
Or did you activate it the correct way like this?

Version 1.44.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

that it has to do something with wordpress, because its only on wordpress sites.

It's almost certainly a hacked account or leak script. Some get in via not updated templates or addons or even get account access tot he wp-admin site.

I would also suggest to install Maldetect, which often finds adjusted wordpress things which are abused.

If you find what is causing is, best is to clean that out, remove the specific files causing the leak and only after repair, be sure the user changes the wp-admin password.
Also check database for other unknown users of that WP site.

 

[Active8]

t's almost certainly a hacked account or leak script.

This! let someone fix your server before its get blacklisted

 

[alwaysbusy]

The strange thing is, that there are barely sent mails. Mostly close to nothing or 0. Especially when i relay on the numbers which directadmin shows unter the account in the section "sent emails" - next to the account datas like ip, domain, disk usage, bandwith and so on...

I am just looking on the domains and running anti-malware scripts and so on...

The thing is i limited all accounts already long time ago to 10emails/hour as prevention for spammers, because i dont really need the mail function. Hope my technicians can find whats wrong here.

 

[Richard G]

when i relay on the numbers which directadmin shows unter the account in the section "sent emails"

If I'm not mistaken, that only shows mails send via the smtp account, but I'm not 100% sure.

Check via SSH with the exim -bp command to see if there is either a queue or a lot of bounced or refused mails.

The limit you set for 10 emails/hour is also only for mails send via SMTP. For limiting mails via php mail there is a totally different routine.

For setting php limits your technicians need to look at a specific directadmin.com setting.

All directadmin.conf values | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

and below that the disable_php_script_at_limit_threshold section.

However, these are all protections to avoid mass mail flow. As @Active8 already said first have things fixed or you will be on blacklists.

 

[alwaysbusy]

Thanks for the input Richard, i didnt know this. Will forward the information directly to my technicians. My technicians are already on it, to find the malware/infected file(s).

Greets

 

[Richard G]

You're welcome. Shouldn't be that big an issue to find the script causing the issue, especially not if Maldetect is installed.
Good luck!

 

[alwaysbusy]

Not so easy until now. The malware scan found nothing and the mail log file shows also no spam. But still i get every second lots of "sendmail" commands in the process monitor. Have no clue why and my technicians also have no idea :-/

 

[Ohm J]

if you wanna find out script is come from,
just add "mail" to disable_functions, and enabled some debug mode in website ( error_reporting ) .

 

[ikkeben]

Take care while old topics!

only sendmail process in process monitor!

Dear Firends, I can only see sendmail process in DA process monitor page! like attached image. sometimes one of these takes long time and make high server load! PHP FastCGI , CB2 , Apache 2.4.9 + Nginx , Memcached are installed.

forum.directadmin.com

HOWTO: Log sendmail abuse

Hi all, This is how i log sendmail abuse atm. Please feel free to improve anything note that ussing a passtrue like this aint the most secure way todo it. If u know a solution for this, please let me know. 1. Create this file on your server /usr/local/lib/php/begin.inc.php add the...

forum.directadmin.com

lots of php commands involving sendmail

On a specific server of ours we see a lot of processes like this: /usr/local/php71/bin/php-cgi71 -d sendmail_path=/usr/sbin/sendmail -t -i -f @ -d sendmail_from="@" -d mail.log="/home//.php/php-mail.log" Left unchecked it floods the server sometimes getting a load of 200. There were some...

forum.directadmin.com

Take also care your box is no mail relay!

and:

DIT: You should keep in mind that sendmail starts rejecting requests to handle email when the machine's load increases over a certain threshold. For that threshold to be reached sendmail may not be responsible. Other processes, like the web server, a cronjob, a query on an ill configured MySQL that causes the machine to swap may take the blame.

So if user(s) has cron job(s) for some and lot of errors / problem website... where the cron jobs should send out mail then you also have this problem.

You should ask the users/ dev / admins from them for applications they use, also the emailadres from should give a clue

If load is problem try to disable that user?

And ofcourse those maillogs you didn't post here!!! Shouldn't be empty i think!?

And try to find out those command parameters: php sendmail -t -i -f ..... -d

EDIT: There are also more phpmailer updates for security, if the user didn't have those updates for his APPS / plugins there then you could have problems to!

 

[alwaysbusy]

Thanks for your help. I will look into that mentioned threads and send the infos to my technicians.

Hope i can fix with this finally the problem.

Greets

 

[Richard G]

You can also disable mail for a short period like @jamgames2 said, or use SMTP_ALLOWLOCAL = "0" which will throw error mails (if you have those mails on) for mails being send and probably also the script using it.

Use this only for a certain time, because this will block all emails send via php.
The exim -bp command will show a list of mails being bounced and then waiting in the queue. With a good queue manager it's possible to read those mails and see from which script they are coming.

Also you can issue a command like lsof -i : 25 to check if some other mailserver is running on port 25.

But a good technician should know all these things. So I wonder why they still did not discover what is causing the issue, while it's known from which account the problem occurs.

 

[alwaysbusy]

Technicians found that there had been a DDOS attack on the server, but after that, server load is still spikining up from time to time.

Would make imunify360 or similiar software sense to find the suspicious process/malware easier? Any recommendations for security softwares?

Greets

 

[Richard G]

Technicians found that there had been a DDOS attack on the server, but after that, server load is still spikining up from time to time.

DDOS attacks do -not- cause sendmail sending out lots of mail which seems to be happening if I look at your first logfile screenshot.

Immunify360 might be good, I don't use it myself so I don'tk now.
I do use Maldetect which scans regularly for malicious files.

 

[factor]

imunify360

I have used the free ImunifyAV it worked good for me. It uses less resources than ClamAV

wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh -O imav-deploy.sh
bash imav-deploy.sh

You also might install and run rkhunter

yum install rkhunter

then

rkhunter --update

then

rkhunter -c