5
4
So no matter how many times I kill exim4 it immediately comes back to life. I have stopped the service and everything but something is bringing it back to life and using it for spamming.
How do I find who is the culprit, in other words, who is starting the exim process?
$ ps -ef | grep exim
root 3038 1 0 14:48 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5Mf-0000mt-L7
107 3042 3038 0 14:48 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5Mf-0000mt-L7
root 5083 1 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5N0-0001Jr-88
107 5233 5083 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5N0-0001Jr-88
root 7420 1 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NR-0001vb-Km
107 7430 7420 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NR-0001vb-Km
root 7454 1 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NR-0001wA-Rl
107 7478 7454 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NR-0001wA-Rl
root 7518 1 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NS-0001xF-8C
107 7523 7518 0 14:49 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5NS-0001xF-8C
root 8863 1 0 14:50 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5Nm-0002Ir-93
107 8866 8863 0 14:50 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5Nm-0002Ir-93
root 8876 1 0 14:50 ? 00:00:00 /usr/sbin/exim4 -Mc 1YR5Nm-0002J5-Ee
you might try restricting the exim binary (take away execute), and then checking dmesg to see what app complains about it. – Frank Thomas – 2015-02-26T21:06:31.403
That's a great idea, Frank. How do I tail dmesg? – David Coch – 2015-02-26T21:21:14.780
depends on your system, but on my debian box, its
sudo tail /var/log/dmesg
. on ubuntu you can just saytail dmesg
. and don't forget to check other logs. as well. the debug log may not get notified of that failure, but hopefully sys or messages does. – Frank Thomas – 2015-02-26T21:24:48.853I am on UBUNTU. Checking
/var/log/dmesg
and/var/log/syslog
but don't see anything there. Are you sure this permission error shows up there? – David Coch – 2015-02-26T21:35:50.700like I said, not always. it is up to the developer to decide whether or not to write debug messages. instead check the sys/messages/auth logs, and see what you see. – Frank Thomas – 2015-02-26T21:36:56.377