Bem pessoal, estou com um problema aqui, hoje de manha acordei fui ver os tickets que tinha para responder e deparei-me com o site offline junto com todo o servidor cPanel.
 
Fui ver meu email para saber se era alguma manutenção por parte do datacenter e para minha surpresa tinha este email:
 

Hi,

SUSPENDING spamming Server 3707; it has 206 SMTP connections

**********************************************
List of processes running on Server 3707
**********************************************
6340 httpd /usr/local/apache/bin/httpd -k start -DSSL
9114 cpsrvd webmaild - serving 188.114.111.36
19674 cpsrvd webmaild - serving 188.114.111.36
19958 exim /usr/sbin/exim -Mc 1XSPx7-0005W0-Kf
19961 exim /usr/sbin/exim -Mc 1XSPx7-0005W0-Kf
19995 cpsrvd webmaild - serving 188.114.111.36
19999 exim /usr/sbin/exim -Mc 1XSPx8-0005WC-Cv
20009 exim /usr/sbin/exim -Mc 1XSPx8-0005WC-Cv
20014 cpanel /usr/local/cpanel/cpanel -webmail ./webmail/x3/index.html
20018 php
484539 httpd /usr/local/apache/bin/httpd -k start -DSSL
772354 init init
772565 kthreadd/3707
772566 khelper/3707
773039 udevd /sbin/udevd -d
773821 rsyslogd /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
773838 named /usr/sbin/named -u named
773879 snmpd /usr/sbin/snmpd -LS0-6d -Lf /dev/null -p /var/run/snmpd.pid
773892 sshd /usr/sbin/sshd
773903 mysqld_safe /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/cp1.vexgames.net.pid
774064 mysqld /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/lib/mysql/cp1.vexgames.net.err --open-files-limit=6164 --pid-file=/var/lib/mysql/cp1.vexgames.net.pid
774222 saslauthd /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
774226 saslauthd /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
774840 pure-ftpd pure-ftpd (SERVER)
774844 pure-authd /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/local/cpanel/bin/pureauth
774855 crond crond
774873 atd /usr/sbin/atd
775361 mingetty /sbin/mingetty console
775364 mingetty /sbin/mingetty tty2
962722 dovecot /usr/sbin/dovecot
962728 pop3-login dovecot/pop3-login
962729 imap-login dovecot/imap-login
962730 anvil dovecot/anvil
962731 log dovecot/log
962733 pop3-login dovecot/pop3-login
962734 imap-login dovecot/imap-login
962735 config dovecot/config
962736 auth dovecot/auth
965677 clamd /usr/local/cpanel/3rdparty/bin/clamd
966214 exim /usr/sbin/exim -bd -q1h
966672 /usr/local/cpan /usr/local/cpanel/3rdparty/perl/514/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=3 --max-spare=1
968147 spamd child spamd child
976929 leechprotect /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect
976930 httpd /usr/local/apache/bin/httpd -k start -DSSL
976931 httpd /usr/local/apache/bin/httpd -k start -DSSL
976932 httpd /usr/local/apache/bin/httpd -k start -DSSL
976934 httpd /usr/local/apache/bin/httpd -k start -DSSL
977003 httpd /usr/local/apache/bin/httpd -k start -DSSL
977801 httpd /usr/local/apache/bin/httpd -k start -DSSL
980358 queueprocd - wa queueprocd - wait to process a task
980376 cpsrvd cpsrvd - waiting for connections
980397 dnsadmin - serv dnsadmin - server mode
980484 tailwatchd tailwatchd
980498 cPhulkd - proce cPhulkd - processor
980529 cpdavd - accept cpdavd - accepting connections on 2077 and 2078
980538 cpanellogd - sl cpanellogd - sleeping for logs
980566 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
980567 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
980568 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
980569 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
980570 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
980571 stunnel /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
995309 httpd /usr/local/apache/bin/httpd -k start -DSSL
1028957 ssl-params dovecot/ssl-params
1044924 httpd /usr/local/apache/bin/httpd -k start -DSSL
1045000 httpd /usr/local/apache/bin/httpd -k start -DSSL


--
Greg Pulford 

Alguma ideia de como posso encontrar o desgraçado que anda soltando flood da minha maquina?
De momento coloquei um DROP no iptables a todo o SMTP e dei stop no exim para "conter o problema" ate achar uma solução, alguem sabe como acho o desgraçado?

 

 

@EDIT

 

Acho que posso afirmar com segurança que é o "impro" ne?

Editado Setembro 12, 2014 em 14:13 Set 12, 2014 por Facha

Já olhou a queue para ver o conteúdo dos e-mails e de onde ele está vindo?