Major Exim
May 14, 2007
I have been having a very hard time tracking down the source/cause of this surge in email. My server has been sending out thousands of spam emails under the nobody account. So far I have done the following:
Created a spam_log to monitor php/cgi mail scripts
Secured firewall and setup monitoring & automatic ip ban of dictionary attacks in exim
Secured the /tmp folder
Updated server to latest STABLE version of cpanel
Scanned server with rootcheck kit
Here is a sample email that is getting bounced back. I have nearly 60,000 bounced emails in the queue with similar messages.
Quote:
Headers spool file 1Hndfh-0001A4-0G-H
mailnull 47 12
<>
1179161117 0
-ident mailnull
-received_protocol local
-body_linecount 72
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
nobody@whm.mav-hosting.com
156P Received: from mailnull by whm.mav-hosting.com with local (Exim 4.63)
id 1Hndfh-0001A4-0G
for nobody@whm.mav-hosting.com; Mon, 14 May 2007 11:45:17 -0500
039 X-Failed-Recipients: beyp@ttnet.net.tr
029 Auto-Submitted: auto-replied
063F From: Mail Delivery System <Mailer-Daemon@whm.mav-hosting.com>
031T To: nobody@whm.mav-hosting.com
059 Subject: Mail delivery failed: returning message to sender
052I Message-Id: <E1Hndfh-0001A4-0G@whm.mav-hosting.com>
038 Date: Mon, 14 May 2007 11:45:17 -0500
Data spool file 1Hndfh-0001A4-0G-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
beyp@ttnet.net.tr
SMTP error from remote mail server after RCPT TO:<beyp@ttnet.net.tr>:
host ttfarm.ttnet.net.tr [212.175.13.134]: 550 Invalid recipient:
<beyp@ttnet.net.tr>
------ This is a copy of the message, including all the headers. ------
Return-path: <nobody@whm.mav-hosting.com>
Received: from nobody by whm.mav-hosting.com with local (Exim 4.63)
(envelope-from <nobody@whm.mav-hosting.com>)
id 1HnaLG-0007Jz-CX
for beyp@ttnet.net.tr; Mon, 14 May 2007 08:11:58 -0500
To: beyp@ttnet.net.tr
Subject: Interaktif Bankacilik Hesabiniz
From: Ak Bank <acc@akbank.com.tr>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1HnaLG-0007Jz-CX@whm.mav-hosting.com>
Sender: Nobody <nobody@whm.mav-hosting.com>
Date: Mon, 14 May 2007 08:11:58 -0500
**CONTENT OF SPAM MESSAGE REMOVED**
I removed the content of spam so it's not posted on the forum
View 6 Replies
ADVERTISEMENT
Jan 7, 2008
Paypal started sending me notices that it was unable to connect to my IPN (I'm using modernbill v4) yet I used it without a problem for 3 years.
The sent this message in response to my support inquiry:
I have had the IPN logs checked and show that, on recent transactions, your Web server returned an HTTP 200 OK on some of the transactions. Transactions were pulled from:
Date: Fri, 04 Jan 2008 15:00:09 GMT and Date: Thu, 03 Jan 2008 22:20:48 GMT
The reason that you are receiving the E-mail in question is due to your server not responding with an HTTP 200 OK rsponse. When this happens, the PayPal system attempts to resend the IPN POST for up to four days at which time the E-mail in question is generated to inform the merchant of issues with the IPN script.
This issue is not a PayPal issue, but is rather caused by your server's response to IPN POSTs sent to the IPN Script.
Can someone please help me trace this problem?
This is what my server is using:
Modernbill v4.4 stable
Centos 4.6
CSF Firewall
Cpanel 11
Apache 2.2 / PHP 5.2.5
View 8 Replies
View Related
Aug 5, 2008
Can anyone recommend a well-established VPS provider with facilities at a major EU connection point, preferably TheNetherlands? I need a small account for secondary DNS and MX, plus some caching experimentation. Might turn into an unmetered dedicated mega-server at the same location if things go as planned, so if you only have experience with dedi or colo at a certain host, feel free to chime in.
I'm already a colo-host and a cPanel distributor myself, so I don't need management or a control panel, just a minimal-install CentOS 5 VPS. (I'll be installing cPanel DNSonly) Here's the kicker though, like most USians, I only speak English (and some would say badly), so the host has to speak at least enough to get the account set up. (preferably has a site in English). The real deal-breaker is that they MUST have their own merchant account and accept credit cards for recurring billing. I will not use Paypal, Moneybookers, or any other 3rd-party processor that requires a registration or manual payments. That almost always indicates an amateur operation in someone's basement. Looking for something along the lines of ThePlanet, but in Amsterdam. (AmsterNet? PlanetDam? )
View 8 Replies
View Related
Oct 14, 2007
I'm having a serious problem with Apache 2.0.54. I'm running Debian Sarge (3.1) and I cannot upgrade Apache (easily) so I am stuck using 2.0.54 (2.2+ are not supported on Sarge). I have been trying everything with config changes and different tweaks but Apache is giving me lots of trouble. Whenever I run "apache2ctl restart" Apache will crash and will not start. But when I run "apache2ctl start" Apache will run and in the log, it simply puts "[warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?". I get nothing else before or after I run those commands. Running "apache2ctl graceful" starts messing with it giving me "apache2 <defunct>" errors and "apache2ctl configtest" gives me nothing except "Syntax OK."
Here is my "apache2.conf" file:
Code:
# Based upon the NCSA server configuration files originally by Rob McCool.
# Changed extensively for the Debian package by Daniel Stone <daniel@sfarc.net>
# and also by Thom May <thom@debian.org>.
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
# you will save yourself a lot of trouble.
ServerRoot "/etc/apache2"
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main server process is automatically appended to
# the filename.
LockFile /var/lock/apache2/accept.lock
# PidFile: The file in which the server should record its process
# identification number when it starts.
PidFile /var/run/apache2.pid
# Timeout: The number of seconds before receives and sends time out.
Timeout 300
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers ......... number of server processes to start
# MinSpareServers ...... minimum number of server processes which are kept spare
# MaxSpareServers ...... maximum number of server processes which are kept spare
# MaxClients ........... maximum number of server processes allowed to start
# MaxRequestsPerChild .. maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# pthread MPM
# StartServers ......... initial number of server processes to start
# MaxClients ........... maximum number of server processes allowed to start
# MinSpareThreads ...... minimum number of worker threads which are kept spare
# MaxSpareThreads ...... maximum number of worker threads which are kept spare
# ThreadsPerChild ...... constant number of worker threads in each server process
# MaxRequestsPerChild .. maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
# perchild MPM
# NumServers ........... constant number of server processes
# StartThreads ......... initial number of worker threads in each server process
# MinSpareThreads ...... minimum number of worker threads which are kept spare
# MaxSpareThreads ...... maximum number of worker threads which are kept spare
# MaxThreadsPerChild ... maximum number of worker threads in each server process
# MaxRequestsPerChild .. maximum number of connections per server process (then it dies)
<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
AcceptMutex fcntl
</IfModule>
User www-data
Group www-data
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Global error log.
ErrorLog /var/log/apache2/error.log
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
# Include generic snippets of statements
Include /etc/apache2/conf.d/[^.#]*
#Let's have some Icons, shall we?
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# Set up the default error docs.
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# Putting this all together, we can Internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line;
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/local/apache2/error/include/ files and
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
Alias /error/ "/usr/share/apache2/error/"
<Directory "/usr/share/apache2/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
</IfModule>
</IfModule>
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml
# UserDir is now a module
#UserDir public_html
#UserDir disabled root
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options Indexes SymLinksIfOwnerMatch IncludesNoExec
#</Directory>
AccessFileName .htaccess
<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain
HostnameLookups Off
IndexOptions FancyIndexing VersionSort
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
# This really should be .jpg.
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
# This is from Matty J's patch. Anyone want to make the icons?
#AddIcon /icons/dirsymlink.jpg ^^SYMDIR^^
#AddIcon /icons/symlink.jpg ^^SYMLINK^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* RCS CVS *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .et
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddLanguage pl .po
AddLanguage ko .ko
AddLanguage pt .pt
AddLanguage no .no
AddLanguage pt-br .pt-br
AddLanguage ltz .ltz
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz
AddLanguage ru .ru
AddLanguage tw .tw
AddLanguage zh-tw .tw
LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca es sv tw
#AddDefaultCharset ISO-8859-1
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
#AddType application/x-httpd-php .php
#AddType application/x-httpd-php-source .phps
AddType application/x-tar .tgz
# To use CGI scripts outside /cgi-bin/:
#
#AddHandler cgi-script .cgi
# To use server-parsed HTML files
#
<FilesMatch ".shtml(..+)?$">
SetOutputFilter INCLUDES
</FilesMatch>
# If you wish to use server-parsed imagemap files, use
#
#AddHandler imap-file map
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4.0" force-response-1.0
BrowserMatch "Java/1.0" force-response-1.0
BrowserMatch "JDK/1.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".your_domain.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>
# Enables SSI
Options +Includes
LoadModule layout_module /usr/lib/apache2/modules/liblayout.so
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]
</IfModule>
# Include the virtual host configurations:
Include /etc/apache2/sites-available/[^.#]*
And here's my "httpd.conf" file:
Code:
# This is here for backwards compatability reasons and to support
# installing 3rd party modules directly via apxs2, rather than
# through the /etc/apache2/mods-{available,enabled} mechanism.
#
#LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so
<VirtualHost 66.150.225.201:80>
#
#User vu2004
#Group vu2004
#
#
#SuexecUserGroup vu2004 vu2004
#
ServerAdmin todd@datacomponents.net
DocumentRoot /var/www
ServerName xetaspace.net
ServerAlias www.xetaspace.net xetaspace.net
ErrorLog /var/log/apache2/users/xetaspace.net-error.log
TransferLog /var/log/apache2/users/xetaspace.net-access.log
# httpd dmn entry cgi support BEGIN.
# httpd dmn entry cgi support END.
# httpd dmn entry PHP2 support BEGIN.
php_admin_value open_basedir "/var/www/:/usr/share/php/:/tmp/"
# httpd dmn entry PHP2 support END.
<Directory /var/www>
# httpd dmn entry PHP support BEGIN.
# httpd dmn entry PHP support END.
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I am on the end of my rope with Apache and feel like just formatting the server and reinstalling Apache. Which reminds me, I did try using apt-get to remove and install Apache again but nothing worked.
View 6 Replies
View Related
Mar 30, 2008
Here I am thinking about sites that are in top 10K according to Alexa. If yes please list few of them here...
View 10 Replies
View Related
Mar 8, 2009
Anyone else notice the huge outage at Surpass? My sites went down as I was editing one, and checking the server status returns a very, very long list of downed servers. Since the Surmunity Forums appear to be down as well, I was wondering if anyone here had found out what was up via other means, and whether or not there is any estimate on when it might come back up.
View 6 Replies
View Related
Oct 16, 2009
I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands!
They add this to your /etc/sudoers
apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
apache
[root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
root
This is a root exploit waiting to happen. I asked them about this and got the response.
Quote:
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards,
Gavin H.
Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
View 14 Replies
View Related
Oct 2, 2007
I have an issue here. httpd is slagging big time and my max clients is 300.
I see this when running netstat
Code:
root@server5 [~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 websitesforafrica.com:http 190.42.243.192:1916 SYN_RECV
tcp 0 0 websitesforafrica.com:http 200.121.167.193:11641 SYN_RECV
tcp 0 0 websitesforafrica.com:http client-201.230.113.17:14327 SYN_RECV
tcp 0 0 websitesforafrica.com:http 190.42.84.253:3244 SYN_RECV
tcp 0 0 websitesforafrica.com:http 201.230.98.64:15059 SYN_RECV
tcp 0 0 websitesforafrica.com:http 166.114.122.41:62881 SYN_RECV
tcp 0 0 websitesforafrica.com:http 190.42.151.252:17097 SYN_RECV
tcp 0 0 websitesforafrica.com:http 190.41.24.108:3421 SYN_RECV
tcp 0 0 websitesforafrica.com:http 190.43.1.42:1392 SYN_RECV
tcp 0 0 websitesforafrica.com:http 201.230.79.5:60836 SYN_RECV
tcp 0 0 websitesforafrica.com:http client-200.121.153.56:27208 SYN_RECV
Code:
root@server5 [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
48 190.42.66.138
39 190.154.6.203
28 190.40.51.130
23 200.121.81.76
14 207.67.35.142
13 201.230.224.200
13
11 201.240.178.114
11 190.77.9.81
10 201.230.113.175
10 200.58.160.148
10 190.41.5.161
9 201.230.254.69
9 201.230.135.146
9 190.43.187.139
8 200.60.248.119
7 72.14.195.205
7 190.42.48.224
6 200.121.7.31
6 200.121.223.55
6 200.121.141.48
6 200.121.141.186
6 200.106.37.206
6 190.42.51.165
6 190.41.64.13
5 201.250.55.166
5 201.240.42.233
5 201.240.3.61
5 201.240.113.73
5 201.240.0.94
5 201.208.123.190
5 200.87.203.94
5 200.121.171.61
5 200.121.136.238
5 200.106.47.236
5 190.42.71.207
5 190.42.221.73
5 190.42.194.20
5 190.42.152.250
5 190.41.32.40
4 201.240.48.131
4 201.240.205.141
4 201.240.196.217
4 201.240.124.201
4 201.240.124.131
4 201.230.233.68
4 201.230.195.165
4 201.230.129.58
4 201.222.87.163
How do I find out the cause of this? I have no idea who websitesforafrica.com is anyway
root@server5 [~]# ps aux | grep -c httpd
502
View 12 Replies
View Related
Jun 20, 2008
I was a webhost from a while ago leasing dedicated servers and eventually went to work for the datacenter where I had my colo. For a while now I've working with a neat group of 5-6 other folks programming a new uptime monitor/geo-dispersed server load testing system/software. We were looking for possible partners to keep hosting costs down during the alpha stage of the project but while we were drawing up the papers, we saw just too much opportunity for a conflict of interest to arise and realized we couldn't realistically associate ourselves with any single company to that degree. So after a little work and fundraising, we're finally in a position to either lease some servers or colo.
Since I've been out of the loop for a while, I just want to know who the major/reliable players are when it comes to leasing or colo machines in multiple areas (ideally East, Middle, West, Canada and Europe/Asia? We would prefer to be with one company for ease of billing and have our network of monitoring stations spread out geographically. But we don't want all of our eggs in one basket so if a provider goes belly-up or decides to hike our rates 30-40% with little notice, we won't have too much to worry about.
We're watching what we spend during the alpha stage very closely, but I've been insisting we can strike the right balance between cost and reliability (connectivity).
View 7 Replies
View Related
Sep 18, 2008
I host a handful of domains, using a whm/cpanel setup. It came time for me to move to a new server, and here's the process I took:
1. I created accounts for all domains on the new server.
2. Created all relevant mail accounts for each domain on the new server
3. Restored all of the files for each sub account on the new server
4. Updated the DNS for each sub account to point to the new server
I didn't, however, move my main domain to the new server yet. On top of that, I use Google to manage the mail for my main domain.
Now when I try to send email to one of the accounts for any sub domains (that is on the new server), the email bounces back as undeliverable.
View 11 Replies
View Related
Jun 8, 2008
I have fairly a large web site that has a forum and a torrent tracker.
Currently MySQL server is handling about 150 queries an avarage per second.
Here is the server spec:
Core2Duo 2.66Ghz
4Gb RAM
320GB SATA 7200RPM (Server provider does not have 1.5K RPM nor 1.0k RPM)
100Mbit Connection (servers on the same switch and the switch does not have 1Gbit port)
MySQL Version: 5.0.51a
I had Master-Master Replication setup with forum running on one and the tracker running on the other.
Although this has been working for about few days, we started seeing lags in the replication process.
After a week, there is a major lag and the changes made on one of the servers takes about 5 hours to appear on the another.
So, this doesn't work.
What would be the other ways of splitting MySQL queries concerning the same database?
While I was researching, I read about MySQL Cluster with database storage engine being NDB.
But, let's say that there is a power failure on both the nodes at the same time, then I would lose the whole database as the database is stored on the memory correct?
I would not like to take that chance either, but if this is faster then replication method then maybe I will concider.
I thought about editing the forum coding to make all queries that concerns the tracker to go in to, say server B (with forum's primary MySQL server being Server A), and make the tracker use server B as MySQL backend, but it seemed like a heavy work so that will be the last choice.
View 6 Replies
View Related
May 16, 2007
I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:ROOTPASSWORD@serverhostname.com
View 14 Replies
View Related
Jun 11, 2007
1U colo, 1 mbps, 1 amp power in major China cities
Must have premium, mulit-homed bandwidth, with great connectivity to the US
Must have local cable TV cross-connect via coax, s-video, etc.
Prefer remote reboot
Some or all of the following:
Shanghai, Beijing, Chongqing, Tianjin, Wuhan, Harbin, Shengyang , Guangzhou
OK to have colo and cctv cross-connect in one or more cities - you dont have to do them all.
We do NOT need colo without the cctv availability.
Will need a /30 address space.
1 year minimum contract
View 2 Replies
View Related
Jan 30, 2007
It seems that all of the emails sent from clientexec to the major carriers (gmail, yahoo, msn etc.,) are being either blocked completely or marked as spam (msn).
When I send an email from outlook from the same domain client exec is on the email goes through fine.
I have added an SPF Record and my domain is not "blacklisted" for spam anywhere.
View 1 Replies
View Related
Mar 8, 2008
I recently switched over to SoftLayer for dedicated hosting and the servers are great. However we've been getting hit on and off with massive (50-80%) packet loss, which has been crippling our performance and causing all sorts of problems
I put in a support ticket and they linked me to the Internet Health Report website and said it was due to one of their bandwidth providers (I think Global CrossinG) and not on their internal network and to be patient as it could take time to resolve
Are any other SoftLayer customers going through this? Is this an unusual occurrence? I feel like if it was really one of their partners that it would be affecting a lot of their customers and it would be a high priority issue right?
I'm kind of stuck on what to do; I just invested a lot of energy into moving content onto these new servers and am concerned about whether to wait it out or whether to start finding a new company. This kind of packet loss is really unacceptable...
View 14 Replies
View Related
Mar 23, 2008
I am a web designer, and have been doing this for about 5 years now and have never encountered such a problem. I had a problem come up a few days ago where one of my clients got into an argument with the Mavrick Team web hosting and computer services company's owner regarding services. She has reported to me that he went into her email account, and has emailed her clients false information about her services after their heated discussion. She told him that she was going to press charges. He told her that he had harvested all of her clients email addresses and will email them to her competitors if she does not back down. What can she do? I feel awkward as I am in the middle of it now. I was the one who referred her to Mavrick Team (aka as I host them) for web hosting services, and moved her site to their servers. This man has created such a big problem for this women now. Her clients are doubting her services and he is blackmailing her. She does not owe him any monies. She has forwarded two of the emails that her clients forwarded to her, so I know she is not making this thing up. I advised her to move all of her emails to a personal email account, contact all of her clients to let them know that someone has access to their info, and I am helping her move her site. Who can she report them to?
View 12 Replies
View Related
May 2, 2007
I am having issues in receieving emails. For some reason, the rbl lists I had setup are causing the server to reject emails (retry - timeout). So, I need to take this rbl list completely. How can I do that? exim.conf is locked and using the advanced editor is no fun even though I tried it putting the dnslists without the rbl causing the problem.
View 3 Replies
View Related
Sep 27, 2009
What seemed to be a good company quickly turned to nightmares. I purchased a couple domains. All went well. Then paypal emailed me saying they are high risk and wanted me to confirm I made the payment and service was given. So until I did the payment was held. They blame the held on me and threatened me to release it or they will cancel my account.
So they finally gave them the money and all was well. Well I did a stupid thing and decided to get a VPS from them, they have good deals so I thought, whats the worse that can happen. Well shortly after, I get a email saying because your payments are unreliable, we are waiting a week to setup your vps which is complete udder crap.
So I just said screw it and said give me a refund then and about 2 hours ago I try logging into my client center and my account is gone.
I am hoping one of them see this so we can get this worked out. In the mean time I opened disputes on all of the payments.
I will keep you all updated.
View 14 Replies
View Related
Aug 7, 2008
this is often happening on my new servers, with FreeBSD and exim 4.69
2 exim process start using a lot of CPU (that's not 100%, but it's like 40% for one process and 35% for other) for hours...
but, as soon as I restart exim, that stops
so it's not a high mail load on server, nor anything like that
I even checked logs to see if it was on some kind of infinite loop (auto-auto-auto-auto-reply), etc, but can't find anything out of ordinary
anyone experiencing something similar?
View 4 Replies
View Related
Jun 11, 2008
I have a dedicated server with WHM installed on it, but recently I've been having problems with emails, specifically exim.
The main issue appears to be a huge number of exim processes all running at the same time. It pushes the server load higher and higher (and when I say high I mean over 100), and basically locks everything else up until I can get a command through to kill exim.
After a bit more investigation I found that the mail queue in WHM appears to be seperate to the one I can find with the exom -bpc command, and gets full of email sent to non existant domains or accounts. So my first theory is that at some point exim tries to deliver all of these at once and that causes the massive load spikes. I don't know if that's possible, or probable, but there isn't enough legitimate email coming into the server that there ought to be any issues.
i've read about how to control the mail q from exim, but that doesn't appear to make a different to the q shown in whm. Currently the server is being held up by a cron running every half hour to restart exim automatically, but at peak times this doesn't appear to be doing enough, and at one point yesterday exim had 400 running processes.
Obviously this is causing a few problems. I don't have the technical knowledge to diagnose or fix the problem past the guesswork i've already done, so i'd appreciate any suggestions
View 4 Replies
View Related
Jun 19, 2008
I have some clients who own large forums, and during usage Mass Mail CPU goes up to 100%. Is there any way to re-configure the exim so not to distrupt the CPU that much?
View 4 Replies
View Related
Jan 11, 2008
I got a mail "spamd failed @ Fri Jan 11 04:34:53 2008. A restart was attempted automatically".And I checked the server.Then I found that spamd is not working.Its a cpanel server.I've tried to restart exim but spamd is not starting.
View 4 Replies
View Related
Oct 3, 2007
I'm trying to diagnose some server load spikes, and I've noticed that my exim log files are getting huge (5 gigs, plus 4 gzips at 1.7gigs)...my server status shows the gzips and greps on these log files putting my cpu load at 99.9%...how do i keep these from getting so huge and/or keep them from maxing out my server?
I'm running CentOS and cpanel...
View 7 Replies
View Related
Feb 6, 2007
In WHM > Server Status, it shows exim as:
exim (exim-4.63-1_cpanel_maildir)
I remember it used to show more stuff inside the (). Can you tell me what it shows on your server?
View 2 Replies
View Related
Sep 25, 2007
I recently switched over from Virtuozzo to WHM (on a vps), and was going through some of the different pages there. I noticed one page that displays the exim stats, similar to running it through the command line. Anyway there is one section I'm not entirely sure what it's referring to.
Quote:
Top 50 mail rejection reasons by message count
Messages Mail rejection reason
311 Rejected RCPT: No such person at this address
75 Rejected RCPT: Sender verify failed 25"The mail server detected your message as spam and has prevented delivery (200)."
I'm not sure if this is referring to inbound addresses being blocked, or forged emails from my server being rejected by outside servers.
View 0 Replies
View Related
Jun 13, 2007
i use exim-4.67 as mta i have some troubles with some domains this i recieve in my log and debug when i try to send email. Where is the problem?
--------------------------------------------------------------------------------------------------------------------
2007-06-13 12:12:44 [70566] cwd=/usr/src 5 args: exim -v -d+all -M 1HyO9G-000FL3-CG
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG TLS error on connection to mail.impresstech.net [195.8.222.33] (SSL_connect): error:00000000:lib(
0):func(0):reason(0)
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG TLS session failure: delivering unencrypted to mail.impresstech.net [195.8.222.33] (not in hosts_
require_tls)
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG send() to mail.impresstech.net [195.8.222.33] failed: Operation not permitted: Operation not perm
itted
2007-06-13 12:12:45 [70566] 1HyO9G-000FL3-CG == petkov@impresstech.net R=dnslookup T=remote_smtp defer (1): Operation not permitted: send() to
mail.impresstech.net [195.8.222.33] failed: Operation not permitted
----------------------------------------------------------------------------------------------------------------
12:12:44 70566 calling dnslookup router
12:12:44 70566 dnslookup router called for petkov@impresstech.net
12:12:44 70566 domain = impresstech.net
;; res_nquerydomain(impresstech.net, <Nil>, 1, 15)
;; res_query(impresstech.net, 1, 15)
;; res_nmkquery(QUERY, impresstech.net, IN, MX)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57989
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; impresstech.net, type = MX, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57989
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; impresstech.net, type = MX, class = IN
impresstech.net. 2h26m22s IN MX 0 mail.impresstech.net.
impresstech.net. 52m22s IN NS ns2.s801.sureserver.com.
impresstech.net. 52m22s IN NS ns1.s801.sureserver.com.
mail.impresstech.net. 2h26m22s IN A 195.8.222.33
12:12:44 70566 DNS lookup of impresstech.net (MX) succeeded
;; res_nquerydomain(mail.impresstech.net, <Nil>, 1, 1)
;; res_query(mail.impresstech.net, 1, 1)
;; res_nmkquery(QUERY, mail.impresstech.net, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; mail.impresstech.net, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; mail.impresstech.net, type = A, class = IN
mail.impresstech.net. 2h26m22s IN A 195.8.222.33
impresstech.net. 52m22s IN NS ns1.s801.sureserver.com.
impresstech.net. 52m22s IN NS ns2.s801.sureserver.com.
12:12:44 70566 DNS lookup of mail.impresstech.net (A) succeeded
12:12:44 70566 195.8.222.33 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
12:12:44 70566 Actual local interface address is 212.95.164.58 (rl0)
12:12:44 70566 Actual local interface address is 212.95.164.59 (rl0)
12:12:44 70566 Actual local interface address is 192.168.3.1 (rl1)
12:12:44 70566 Actual local interface address is 127.0.0.1 (lo0)
12:12:44 70566 fully qualified name = impresstech.net
12:12:44 70566 host_find_bydns yield = HOST_FOUND (2); returned hosts:
12:12:44 70566 mail.impresstech.net 195.8.222.33 MX=0
12:12:44 70566 set transport remote_smtp
12:12:44 70566 queued for remote_smtp transport: local_part = petkov
12:12:44 70566 domain = impresstech.net
12:12:44 70566 errors_to=NULL
12:12:44 70566 domain_data=NULL localpart_data=NULL
12:12:44 70566 routed by dnslookup router
12:12:44 70566 envelope to: petkov@impresstech.net
12:12:44 70566 transport: remote_smtp
12:12:44 70566 host mail.impresstech.net [195.8.222.33] MX=0
12:12:44 70566 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
12:12:44 70566 After routing:
12:12:44 70566 Local deliveries:
12:12:44 70566 Remote deliveries:
12:12:44 70566 petkov@impresstech.net
12:12:44 70566 Failed addresses:
12:12:44 70566 Deferred addresses:
12:12:44 70566 search_tidyup called
12:12:44 70566 close MYSQL connection: localhost/mta_db/mtauser
12:12:44 70566 >>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>
12:12:44 70566 --------> petkov@impresstech.net <--------
12:12:44 70566 search_tidyup called
12:12:44 70566 set_process_info: 70566 delivering 1HyO9G-000FL3-CG: waiting for a remote delivery subprocess to finish
View 0 Replies
View Related
Sep 29, 2007
every time i send an email from my server to any @hotmail account it doesnt arrive @hotmail.
In my exim_mainlog, log says that operation is completed.
2007-09-29 07:00:32 1Iba3k-00043A-0z no host name found for IP address IP
2007-09-29 07:00:32 1Iba3k-00043A-0z <= webmaster@domain.name H=([192.168.1.100]) [IP] P=esmtpa A=fixed_plain:brm@dak$
2007-09-29 07:00:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Iba3k-00043A-0z
2007-09-29 07:00:32 1Iba3k-00043A-0z => account@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.245.72]
2007-09-29 07:00:32 1Iba3k-00043A-0z Completed
What makes it weird is that..
when i send email from hotmail to my servers account, i get email from hotmail, and, when i do reply on that email to @hotmail, email arrives @hotmail.
View 1 Replies
View Related
Jan 23, 2007
I am not actually a hosting provider but a client. I do have some technical knowledge about Exim, Sendmail etc and my host also co-operates with me so I thought of asking this question myself. My problem is with the RBL checks that my host's server performs even on authenticated SMTP connections. My ISP provides a IP to me which is being shared by many subscribers and gets blocked often. This causes a problem for me to use my mail client to send outgoing e-mail through my host's SMTP.
Suppose my hosted domain is "mydomain.com". Now when I use my e-mail client and send an e-mail using my hosts SMTP server (which requires due authentication) and give return-path (envelope sender) as "someone@mydomain.com", the e-mail passes through nicely. But when I use some other return path like "me@yahoo.com", I get a RBL block message after RCPT command. This should not happen as I am a paying member and I am correctly authenticating myself using the username & password of my hosted account.
My host uses Exim 4.63 so I just wanted to know whether there is a way to modify Exim ACL so that it doesn't perform RBL checks for authenticating users.
View 1 Replies
View Related
Aug 1, 2007
to run exim command line for delivery all emails in the queue
we need to use command as single:
exim -M xxxxxxx
BUT without <message id>
as
exim -q -M
but not work
View 6 Replies
View Related
Sep 15, 2006
I've a question how to make every email come to my inbox a copy of it go to other email i mean if i get an message on ss@ss.com automaticly a copy of this message go to aa@aa.com
View 4 Replies
View Related
Dec 11, 2007
ive been asked to use exim coz its easier to use with spamassasin.
but is exim as safe as qmail?
ive heard qmail offers better safety.
View 11 Replies
View Related