[lug] sendmail rejecting connections

Warren Sanders sanders at montanalinux.org
Fri Aug 9 11:20:56 MDT 2002 

Nothing definite.  In some ways I was over-reacting to a recent exploit 
in gallery (http://gallery.sourceforge.net).  There was a problem with 
its 'gallery remote' scripts allowing a hacker to root you.  The fix 
came on Friday evening and I didn't get it in place until Monday.  My 
machine went down Sunday.  
 
I got the chkrootkit (http://www.chkrootkit.org) prog to aid in the 
search for ET's.  What I found was more to add to my psychosis; Checking 
`bindshell'... INFECTED (PORTS:  465).  Well I later found it was 
probably because I have smtps bound to that port.  
 
So I'm suspecting that one of my binary files for gallery (netPBM or 
jhead) MAY have gotten in a jam Saturday night as I was uploading new 
photos; causing the load to get high enough to start shutting the 
services down.  At least sendmail has this feature to go down.  Apache 
error logs continue to show signs of having trouble killing a child 
process just about every morning:
 
[Thu Aug  8 04:02:07 2002] [warn] child process 18927 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:08 2002] [warn] child process 18928 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:08 2002] [warn] child process 18929 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:08 2002] [warn] child process 18930 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:08 2002] [warn] child process 18931 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:08 2002] [warn] child process 19180 did not exit, 
sending another SIGHUP
[Thu Aug  8 04:02:10 2002] [warn] child process 18927 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:10 2002] [warn] child process 18928 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:10 2002] [warn] child process 18929 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:10 2002] [warn] child process 18930 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:10 2002] [warn] child process 18931 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:10 2002] [warn] child process 19180 still did not 
exit, sending a SIGTERM
[Thu Aug  8 04:02:14 2002] [error] child process 18928 still did not 
exit, sending a SIGKILL
[Thu Aug  8 04:02:14 2002] [error] child process 18929 still did not 
exit, sending a SIGKILL
[Thu Aug  8 04:02:14 2002] [error] child process 18930 still did not 
exit, sending a SIGKILL
[Thu Aug  8 04:02:14 2002] [error] child process 18931 still did not 
exit, sending a SIGKILL
[Thu Aug  8 04:02:14 2002] [notice] SIGHUP received.  Attempting to restart
[Thu Aug  8 04:02:24 2002] [notice] Apache/1.3.22 (Unix)  
(Red-Hat/Linux) PHP/4.0.6 configured -- resuming normal operations
 
This was a problem as an old sendmail bug/exploit back a couple years 
ago; now fixed.
 
Now I'm trying to figure what these are in my messages log:
 
kernel: Neighbour table overflow.
kernel: NET: 126 messages suppressed.
 
I have calmed down now and thinking it's a glitch rather than a kiddie.  
Maybe someone can help us out here?

Paul Bille wrote:

>Warren > . . . sendmail[919]: rejecting connections on daemon MTA: load
>average: 46 . . .
>
>Hello Warren,
>
>Did you ever get an answer to your sendmail overload question?
>
>I had the same experience on my mail server about the same time.  I
>didn't check my mail or administer the server for a few days while on
>the road in late July and again early in August.  On both occasions I
>noticed that I wasn't getting any e-mail.  I checked the server and got
>the same message, 
>"sendmail . . . rejecting . . . load average . . ."
>
>I presumed it was because too much mail backed up in the system.  (I
>know that doesn't make sense but I was rationalizing.) On both occasions
>I had to re-boot the system to clear out the bogus tasks and get
>sendmail to begin accepting.
>
>I'm wondering if someone has devised an attack on sendmail.  Have you
>heard anything more on this topic?
>
>Thanks,
>Paul
>http://bille.cudenver.edu/author
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>  
>

-- 
Warren Sanders
http://MontanaLinux.Org

More information about the LUG mailing list