One of my company DirectAdmin servers recently got spam mail attacks, after we investigate the case we found there were some service called "SMTP" occupying most of CPU resources and Hijack the port 25 for smtp from exim.
When I use "killall smtp" everything recovers. However, this case came back again after sometime and I will have to killall again to avoid server to be inresponsive due to CPU overload.
I used following command:
[root@s88 updatescript]# top - 10:02:08 up 1:11, 0 users, load average: 6.40, 4.56, 2.37
Tasks: 204 total, 5 running, 199 sleeping, 0 stopped, 0 zombie
Cpu(s): 5.9% us, 61.4% sy, 0.0% ni, 25.1% id, 2.6% wa, 5.0% hi, 0.0% si
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20767 apache 15 0 33224 21m 10m S 5.4 4.3 0:00.24 httpd
18285 root 18 0 201m 952 456 S 4.8 0.2 0:12.41 smtp
18270 root 19 0 201m 952 456 S 3.5 0.2 0:13.89 smtp
18272 root 18 0 201m 952 456 S 3.5 0.2 0:09.49 smtp
18269 root 19 0 201m 948 456 S 3.2 0.2 0:12.47 smtp
18278 root 19 0 201m 952 456 S 3.2 0.2 0:03.87 smtp
18252 root 20 0 201m 952 456 S 2.9 0.2 0:06.19 smtp
18267 root 19 0 201m 948 456 S 2.9 0.2 0:07.61 smtp
18283 root 18 0 201m 948 456 S 2.9 0.2 0:04.31 smtp
18264 root 19 0 201m 948 456 S 2.5 0.2 0:09.03 smtp
18256 root 19 0 201m 948 456 S 2.2 0.2 0:07.14 smtp
18250 root 19 0 201m 952 456 S 1.9 0.2 0:04.10 smtp
18268 root 18 0 201m 952 456 S 1.6 0.2 0:02.68 smtp
18288 root 18 0 201m 948 456 S 1.6 0.2 0:05.30 smtp
18246 root 19 0 201m 952 456 S 1.3 0.2 0:05.39 smtp
18255 root 19 0 201m 952 456 S 1.3 0.2 0:03.81 smtp
18280 root 18 0 201m 952 456 S 1.0 0.2 0:01.89 smtp
After I have done killall, I got following result from "top":
[root@s88 updatescript]# killall smtp
[root@s88 updatescript]# top
top - 10:05:15 up 1:14, 0 users, load average: 1.40, 3.01, 2.16
Tasks: 155 total, 3 running, 152 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.0% us, 2.7% sy, 0.0% ni, 61.8% id, 33.4% wa, 1.0% hi, 0.0% si
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20567 mail 15 0 9496 3096 2460 S 1.0 0.6 0:02.35 exim
132 root 15 0 0 0 0 S 0.3 0.0 0:00.28 pdflush
391 root 15 0 0 0 0 S 0.3 0.0 0:01.75 kjournald
20823 mail 16 0 6884 1576 1312 S 0.3 0.3 0:00.01 exim
20858 astreem 15 0 2348 1104 852 S 0.3 0.2 0:00.20 pop3
21170 max 15 0 2316 1080 848 S 0.3 0.2 0:00.01 pop3
1 root 16 0 1688 492 460 S 0.0 0.1 0:00.89 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.02 ksoftirqd/0
3 root 10 -5 0 0 0 S 0.0 0.0 0:00.04 events/0
4 root 13 -5 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
7 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid
83 root 10 -5 0 0 0 S 0.0 0.0 0:00.02 kblockd/0
133 root 15 0 0 0 0 S 0.0 0.0 0:00.18 pdflush
135 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
134 root 15 0 0 0 0 S 0.0 0.0 0:01.30 kswapd0
86 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
[root@s88 ~]# ps aux | grep smtp
root 22148 0.0 0.1 2816 832 ? Ss 12:38 0:00 /usr/local/directadmin/da-popb4smtp
root 2899 0.0 0.1 3728 664 pts/1 R+ 14:04 0:00 grep smtp
I do not see any strange on this search, does anyone of you know which service or virus or trojan will called itself "SMTP" and will steal port 25? How to remove it and prevent it?
When I use "killall smtp" everything recovers. However, this case came back again after sometime and I will have to killall again to avoid server to be inresponsive due to CPU overload.
I used following command:
[root@s88 updatescript]# top - 10:02:08 up 1:11, 0 users, load average: 6.40, 4.56, 2.37
Tasks: 204 total, 5 running, 199 sleeping, 0 stopped, 0 zombie
Cpu(s): 5.9% us, 61.4% sy, 0.0% ni, 25.1% id, 2.6% wa, 5.0% hi, 0.0% si
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20767 apache 15 0 33224 21m 10m S 5.4 4.3 0:00.24 httpd
18285 root 18 0 201m 952 456 S 4.8 0.2 0:12.41 smtp
18270 root 19 0 201m 952 456 S 3.5 0.2 0:13.89 smtp
18272 root 18 0 201m 952 456 S 3.5 0.2 0:09.49 smtp
18269 root 19 0 201m 948 456 S 3.2 0.2 0:12.47 smtp
18278 root 19 0 201m 952 456 S 3.2 0.2 0:03.87 smtp
18252 root 20 0 201m 952 456 S 2.9 0.2 0:06.19 smtp
18267 root 19 0 201m 948 456 S 2.9 0.2 0:07.61 smtp
18283 root 18 0 201m 948 456 S 2.9 0.2 0:04.31 smtp
18264 root 19 0 201m 948 456 S 2.5 0.2 0:09.03 smtp
18256 root 19 0 201m 948 456 S 2.2 0.2 0:07.14 smtp
18250 root 19 0 201m 952 456 S 1.9 0.2 0:04.10 smtp
18268 root 18 0 201m 952 456 S 1.6 0.2 0:02.68 smtp
18288 root 18 0 201m 948 456 S 1.6 0.2 0:05.30 smtp
18246 root 19 0 201m 952 456 S 1.3 0.2 0:05.39 smtp
18255 root 19 0 201m 952 456 S 1.3 0.2 0:03.81 smtp
18280 root 18 0 201m 952 456 S 1.0 0.2 0:01.89 smtp
After I have done killall, I got following result from "top":
[root@s88 updatescript]# killall smtp
[root@s88 updatescript]# top
top - 10:05:15 up 1:14, 0 users, load average: 1.40, 3.01, 2.16
Tasks: 155 total, 3 running, 152 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.0% us, 2.7% sy, 0.0% ni, 61.8% id, 33.4% wa, 1.0% hi, 0.0% si
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20567 mail 15 0 9496 3096 2460 S 1.0 0.6 0:02.35 exim
132 root 15 0 0 0 0 S 0.3 0.0 0:00.28 pdflush
391 root 15 0 0 0 0 S 0.3 0.0 0:01.75 kjournald
20823 mail 16 0 6884 1576 1312 S 0.3 0.3 0:00.01 exim
20858 astreem 15 0 2348 1104 852 S 0.3 0.2 0:00.20 pop3
21170 max 15 0 2316 1080 848 S 0.3 0.2 0:00.01 pop3
1 root 16 0 1688 492 460 S 0.0 0.1 0:00.89 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.02 ksoftirqd/0
3 root 10 -5 0 0 0 S 0.0 0.0 0:00.04 events/0
4 root 13 -5 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
7 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid
83 root 10 -5 0 0 0 S 0.0 0.0 0:00.02 kblockd/0
133 root 15 0 0 0 0 S 0.0 0.0 0:00.18 pdflush
135 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
134 root 15 0 0 0 0 S 0.0 0.0 0:01.30 kswapd0
86 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
[root@s88 ~]# ps aux | grep smtp
root 22148 0.0 0.1 2816 832 ? Ss 12:38 0:00 /usr/local/directadmin/da-popb4smtp
root 2899 0.0 0.1 3728 664 pts/1 R+ 14:04 0:00 grep smtp
I do not see any strange on this search, does anyone of you know which service or virus or trojan will called itself "SMTP" and will steal port 25? How to remove it and prevent it?
Last edited:
