Re: [Qmail-scanner-general]lots of /usr/bin/suidperl /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl processes

Wed, 19 May 2004 09:14:53 -0700 

Here is the mail message header: -

Return-Path: <[EMAIL PROTECTED]> 
Delivered-To: [EMAIL PROTECTED] 
Received: (qmail 15388 invoked by uid 504); 19 May
2004 15:34:13 -0000 
Received: from [EMAIL PROTECTED] by mail.example.com
by uid 501 with qmail-scanner-1.16 (ehost Clear:.
Processed in 11.096361 secs); 19 May 2004 15:34:13
-0000 
Received: from unknown (HELO mail.yahoo.com) (1.1.1.1)
by 0 with SMTP; 19 May 2004 15:34:02 -0000 
Received: from mail.yahoo.com (intermail [127.0.0.1])
by mail.yahoo.com (8.12.8/8.12.8) with ESMTP id
i4JFUssu019078 for <[EMAIL PROTECTED]>; Wed, 19
May 2004 23:30:54 +0800 
From: "rootlinux" <[EMAIL PROTECTED]> 
To: [EMAIL PROTECTED] Subject: test - 11:41pm 
Date: Wed, 19 May 2004 23:30:54 +0800 
Message-Id: <[EMAIL PROTECTED]> 
Mime-Version: 1.0 Content-Type: 


Here is the qmail-queue.log: -

19/05/2004 23:34:02:15383: +++ starting debugging for
process 15383 by uid=501 at 19/05/2004 23:34:02
19/05/2004 23:34:02:15383: setting UID to EUID so
subprocesses can access files generated by this script
19/05/2004 23:34:02:15383: program name is
qmail-scanner-queue.pl, version 1.16
19/05/2004 23:34:02:15383: incoming SMTP connection
from via smtp from 1.1.1.1
19/05/2004 23:34:02:15383: w_c: mkdir
/var/spool/qmailscan/mail.example.com108498084243115383
19/05/2004 23:34:02:15383: w_c: start dumping incoming
msg into
/var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
[1084980842.13506]
19/05/2004 23:34:02:15383: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
to
/var/spool/qmailscan/working/new/mail.example.com108498084243115383
[1084980852.63514]
19/05/2004 23:34:02:15383: d_m: starting
/usr/local/bin/reformime 
-x/var/spool/qmailscan/mail.example.com108498084243115383/
</var/spool/qmailscan/working/new/mail.example.com108498084243115383
[1084980852.63558]
19/05/2004 23:34:02:15383: d_m: finished
/usr/local/bin/reformime 
-x/var/spool/qmailscan/mail.example.com108498084243115383/
[1084980852.69235]
19/05/2004 23:34:02:15383: d_m: Manually unpack any
zip files as some virus scanners don't do zip under
Unix!
19/05/2004 23:34:02:15383: d_m: unpacking message took
0.057176 seconds
19/05/2004 23:34:02:15383: unsetting QMAILQUEUE env
var
19/05/2004 23:34:02:15383: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is
"[EMAIL PROTECTED]"
19/05/2004 23:34:02:15383: from="rootlinux"
<[EMAIL PROTECTED]>,subj=test - 11:41pm,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
via smtp from 1.1.1.1
19/05/2004 23:34:02:15383: ini_sc: start scanning
19/05/2004 23:34:02:15383: p_s: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: p_s:  '81:ILOVEYOU' =
'Virus-subject' = 'Love Letter Virus/Trojan'
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing subject: ILOVEYOU
19/05/2004 23:34:02:15383: p_s:  '82:message/partial'
= 'Virus-content-type' = 'Message/partial MIME
attachments blocked by policy'
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing content-type: message/partial
19/05/2004 23:34:02:15383: p_s:  '85:.{100,}' =
'Virus-date' = 'MIME Header Buffer Overflow'
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing date: .{100,}
19/05/2004 23:34:02:15383: p_s:  '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing mime-version: .{100,}
19/05/2004 23:34:02:15383: p_s:  '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing resent-date: .{100,}
19/05/2004 23:34:02:15383: p_s: 
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]'
= 'Virus-to' = 'BadTrans Trojan exploit!'
19/05/2004 23:34:02:15383: p_s:  type is a header!
19/05/2004 23:34:02:15383: p_s:  checking for objects
containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
19/05/2004 23:34:02:15383: p_s:  'eicar.com' = '69' =
'EICAR Test Virus'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s:  'happy99.exe' =
'10000' = 'Happy99 Trojan'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s:  'zipped_files.exe' =
'120495' = 'W32/ExploreZip.worm.pak virus'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s: skipping
auto-generated file
1084980852.15385-0.mail.example.com
19/05/2004 23:34:02:15383: p_s: checking WMSysPr9.prx
against perlscanner database...
19/05/2004 23:34:02:15383: p_s: file WMSysPr9.prx is
lowercased to wmsyspr9.prx and has extension .prx
19/05/2004 23:34:02:15383: p_s: compare wmsyspr9.prx
against perlscanner database
19/05/2004 23:34:02:15383: p_s:  finished scan of dir
"/var/spool/qmailscan/mail.example.com108498084243115383"
in 0.003664 secs
19/05/2004 23:34:02:15383: ini_sc: recursively scan
the directory
/var/spool/qmailscan/mail.example.com108498084243115383/
19/05/2004 23:34:02:15383: scanloop: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: uvscan: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: run /usr/local/bin/uvscan 
-v -r --secure --fam --unzip --macro-heuristics 
/var/spool/qmailscan/mail.example.com108498084243115383
   2>&1
19/05/2004 23:34:02:15383: --output of uvscan was:
Scanning
/var/spool/qmailscan/mail.example.com108498084243115383/*
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/1084980852.15385-0.mail.example.com
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx/WMSysPr9.prx
--
19/05/2004 23:34:02:15383: uvscan: finished scan of
dir
"/var/spool/qmailscan/mail.example.com108498084243115383"
in 0.528814 secs
19/05/2004 23:34:02:15383: scanloop: finished scan of
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: ini_sc: scanning message
took 0.53301 seconds
19/05/2004 23:34:02:15383: q_r: fork off child into
/var/qmail/bin/qmail-queue...
19/05/2004 23:34:02:15383: cleanup: /bin/rm -rf
/var/spool/qmailscan/mail.example.com108498084243115383/
/var/spool/qmailscan/working/new/mail.example.com108498084243115383
19/05/2004 23:34:13:15383: all finished. Total of
11.178623 secs

Regards,
rootlinux


--- Chuck <[EMAIL PROTECTED]> wrote:
> On Wed May 19 2004 09:31 am, root linux wrote:
> 
> honestly that doesn't look at all unusual to me if
> you receive a lot of email. 
> our process list is almost triple that all the time.
> however there is one 
> thing you should do, since you could be bottled up
> in either a/v processing, 
> spam processing or writing out in a large quarantine
> directory.
> 
> first examine message headers. At the end of the
> qmail-scanner-queue entry 
> will be a process time. with only a few exceptions
> it should NEVER exceed 0.3 
> seconds. If it does, look for reasons why it is
> being delayed in the external 
> processes.  Also, be sure to empty your quarantine
> directories often. if the 
> directories get too large it will take forever to
> write the new ones out. 
> also limit your quarantine notifications to one or
> two deliveries instead of 
> a list of people. I delete ours every 3 hours. we
> accumulate almost a gb of 
> quarantines in about 5 hrs of running, so I delete
> them all every 3 hours for 
> safety and to keep things running quickly. other
> than that, it looks like an 
> average semi-busy server to me.
> 
> 
> Chuck
> 
> > Hi all,
> >
> > I have lots of the below process running when I
> run
> > "ps -ef" at the command prompt, is it normal?
> >
> > Btw, I am running Red Hat 7.2 with qmail 1.03 and
> > qmail-scanner 1.16
> >
> > qmaild    6407  5946  0 21:12 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6408  6407  0 21:12 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6414  5946  0 21:12 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6419  6414  0 21:12 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6453  5946  0 21:13 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6543  5946  0 21:14 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6553  6543  0 21:14 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6557  5946  0 21:14 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6682  5946  0 21:15 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6713  5946  0 21:15 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6714  6713  0 21:15 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6748  5946  0 21:16 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6749  6748  0 21:16 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6758  5946  0 21:16 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6759  6758  0 21:16 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6806  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6807  6806  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6808  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6813  6808  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6823  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6825  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6826  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6827  6823  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6828  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6829  6825  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmailq    6830  6826  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmailq    6831  6828  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6832  5946  0 21:17 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6845  6832  0 21:17 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6862  5946  0 21:18 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6864  6862  0 21:18 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6869  5946  0 21:18 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6870  6869  0 21:18 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6896  5946  0 21:18 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6897  6896  0 21:18 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6903  5946  0 21:18 pts/0    00:00:00
> > qmail-smtpd
> > qmaild    6908  5946  0 21:18 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6909  6908  0 21:18 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6946  5946  0 21:19 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6947  6946  0 21:19 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6964  5946  0 21:19 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6965  6964  0 21:19 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild    6974  5946  0 21:19 pts/0    00:00:00
> > qmail-smtpd
> > qmailq    6983  6974  2 21:19 pts/0    00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> >
> > Regards,
> > rootlinux
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! - Internet access at a great low price.
> > http://promo.yahoo.com/sbc/
> >
> >
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by: SourceForge.net
> Broadband
> > Sign-up now for SourceForge Broadband and get the
> fastest
> > 6.0/768 connection for only $19.95/mo for the
> first 3 months!
> >
>
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> > _______________________________________________
> > Qmail-scanner-general mailing list
> > [EMAIL PROTECTED]
> >
>
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
> 
> -- 
> 
> Chuck
> 
> "...and the hordes of M$*ft users descended upon me
> in their anger,
> and asked 'Why do you not get the viruses or the
> BlueScreensOfDeath
> or insecure system troubles and slowness or pay
> through the nose 
> for an OS as *we* do?!!', and I answered...'I use
> Linux'. "
> The Book of John, chapter 1, page 1, and end of book
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net
> Broadband
> 
=== message truncated ===



        
                
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to