top show php, posftix pounding the system

Discussion in 'General' started by torontob, Feb 5, 2010.

  1. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Hi Guys,

    I am running Elastix 1.3.2. It has a Sangoma A400. Postfix has been putting a huge load on the system and "service postfix stop" actually gets rid of sound cutting off that we have been recently experiencing.

    My question is what does Elastix use php for? does it even use it? also how about postfix. I would like to kill it totally or un-install it since it's giving me problems.

    There is over 60,000 files in /var/spool/postfix/
    What the hell is Elastix trying to report to me? and keeps sending them to root@example.com which fails and stays in active, defere and deferred. Please let me know if I can kill postfix for good without affecting the system.

    Thanks
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You have been hacked, probably through roundcube, the web based mail client,

    /var/log/maillog should confirm that there as a lot of bogus traffic probably from the asterisk user who can log into the webmail.

    Yes you can kill postfix without affecting anything call wise, but the easiest thing to do is probably block inbound and outbound connections on port 25 (smtp) then purge your mail queues. Then remove the directory /var/www/html/mail (roundcubemail)
     
  3. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Wow thanks. That gives me such a comfort knowing Elastix developers are doing a GREAT job at not leaving loop holes open. I like PBXinaFLASH for security as they think this type of a thing more seriously. Not to forget that it's also my fault for not check the /var/www/html/ and deleting anything not being used by the system

    Dicko, thank you very much for the input though. I have done what you said. But can you please explain this in a bit more detail as to what may have been compromised? or still can be in a compromised state?

    thanks
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I have no idea what the exploit is about, it happened to one of my servers a few months ago and as there was no need for pop3 or imap and the outbound mail was going through an another internal MTA the only tcp port open from the outside was 443, not being able to find any other leaks,I removed the roundcube stuff and after a few days everything became quiet again, go figure.
     
  5. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for giving me the peace of mind :)

    Well, along the way trying to keep the load off I did a "yum remove openfire" and I think it removed something from the database (e.g. elastix-dbname....) and now when I do http://IP/admin I get:

    Code:
    FATAL ERROR
    DB Error: connect failed
    
    And Elastix PBX part gives me a blank page. I checked and MySQL root didn't have a password so I set it to eLaStIx.2oo7 but the problem is not solved. I hate to learn that all settings are gone. But the system works and calls are made.

    Any suggestions?
     

Share This Page