top show php, posftix pounding the system

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#1
Hi Guys,

I am running Elastix 1.3.2. It has a Sangoma A400. Postfix has been putting a huge load on the system and "service postfix stop" actually gets rid of sound cutting off that we have been recently experiencing.

My question is what does Elastix use php for? does it even use it? also how about postfix. I would like to kill it totally or un-install it since it's giving me problems.

There is over 60,000 files in /var/spool/postfix/
What the hell is Elastix trying to report to me? and keeps sending them to root@example.com which fails and stays in active, defere and deferred. Please let me know if I can kill postfix for good without affecting the system.

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
You have been hacked, probably through roundcube, the web based mail client,

/var/log/maillog should confirm that there as a lot of bogus traffic probably from the asterisk user who can log into the webmail.

Yes you can kill postfix without affecting anything call wise, but the easiest thing to do is probably block inbound and outbound connections on port 25 (smtp) then purge your mail queues. Then remove the directory /var/www/html/mail (roundcubemail)
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#3
Wow thanks. That gives me such a comfort knowing Elastix developers are doing a GREAT job at not leaving loop holes open. I like PBXinaFLASH for security as they think this type of a thing more seriously. Not to forget that it's also my fault for not check the /var/www/html/ and deleting anything not being used by the system

Dicko, thank you very much for the input though. I have done what you said. But can you please explain this in a bit more detail as to what may have been compromised? or still can be in a compromised state?

thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
I have no idea what the exploit is about, it happened to one of my servers a few months ago and as there was no need for pop3 or imap and the outbound mail was going through an another internal MTA the only tcp port open from the outside was 443, not being able to find any other leaks,I removed the roundcube stuff and after a few days everything became quiet again, go figure.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#5
Thanks for giving me the peace of mind :)

Well, along the way trying to keep the load off I did a "yum remove openfire" and I think it removed something from the database (e.g. elastix-dbname....) and now when I do http://IP/admin I get:

Code:
FATAL ERROR
DB Error: connect failed
And Elastix PBX part gives me a blank page. I checked and MySQL root didn't have a password so I set it to eLaStIx.2oo7 but the problem is not solved. I hate to learn that all settings are gone. But the system works and calls are made.

Any suggestions?
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,918
Messages
130,924
Members
17,601
Latest member
andrebr
Top