to see the basic header details look in /var/log/maillog If you want to see the full contents of any network traffic you can us tcpdump that writes ALL the tcp/ip traffic to a log file. Its worth reading up on the functions of tcpdump before using it (obvious!) but if you don't switch it off it make a very big log file!
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of njd 76 Sent: 28 September 2001 16:04 To: [EMAIL PROTECTED] Subject: RE: SV: [cobalt-security] - too many sendmail processes Something is going on...The list goes on and on I would say there are about 50 sendmail processes. Here is my setup Maximum Message Size (MB) [5] Smart Relay Host Name [BLANK] Relay for the following Hosts/Domains [IPs,Domain names on BOX] Host/Domain Aliases [all www.domain.com on BOX] Reject the following Users/Hosts/Domains [Blank] POP Before SMTP Relaying [ON] Relay Window (minutes) [15] When i run ps aux the processes with send mail all look like this. root 3013 0.0 1.3 2896 1772 ? S 10:22 0:00 sendmail: q2/f8SE Anymore ideas... Malcolm- You said I can look in the outgoing mail to see what it is, where is the directory? >From: "Malcolm Wild" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: <[EMAIL PROTECTED]> >Subject: RE: SV: [cobalt-security] - too many sendmail processes >Date: Tue, 25 Sep 2001 17:10:06 +0100 > >type >ps aux >this will show what started the process e.g. script, program, etc >it'll give you an indication of what is using sendmail >I'd also suggest having a look in the outgoing mail to see what it contains > > >if you don't like it kill it >kill PID# > >that'll give you some pointers for more info on howtos just post back > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of njd 76 >Sent: 25 September 2001 16:14 >To: [EMAIL PROTECTED] >Subject: Re: SV: [cobalt-security] - too many sendmail processes > > > >I am fairly new to the security world but i installed chkrootkit on one of >my cobalts and have found it to be a great way to keep on top of the log >files. My problem however is after I installed it I noticed when I ran top >the following was in the list: (not sure if chkrootkit has anything to do >with this) > >1911 root 0 0 1660 1660 1388 S 0 0.0 1.2 0:00 sendmail >1912 root 0 0 1768 1768 1336 S 0 0.0 1.3 0:00 sendmail >2000 root 0 0 1660 1660 1384 S 0 0.0 1.2 0:00 sendmail >2001 root 0 0 1820 1820 1344 S 0 0.0 1.4 0:00 sendmail >2108 root 0 0 1660 1660 1388 S 0 0.0 1.2 0:00 sendmail >2111 root 0 0 1768 1768 1336 S 0 0.0 1.3 0:00 sendmail >2174 root 0 0 1660 1660 1388 S 0 0.0 1.2 0:00 sendmail >2175 root 0 0 1776 1776 1340 S 0 0.0 1.3 0:00 sendmail >2224 root 0 0 1660 1660 1384 S 0 0.0 1.2 0:00 sendmail >2225 root 0 0 1820 1820 1344 S 0 0.0 1.4 0:00 sendmail >2246 root 0 0 1660 1660 1388 S 0 0.0 1.2 0:00 sendmail >2248 root 0 0 1776 1776 1340 S 0 0.0 1.3 0:00 sendmail >etc.... > >Any idea on what is causing this or what is going on? Is there a way to >kill >these or is it ok to have them running? I have about 15 sites on this >server. > >Hope you guys can help. > >Cheers, >Nick Damoulakis > > >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security > > >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
