I think someone is sending spam emails through my site

Hi,

My site has been very unstable for months, I finally tracked down the possible cause: Apache keeps crashing because some unknown email activities causing MaxClients being reached (if that makes any sense..).

This is what I see in /var/log/apache2/error.log.

[Sun Jun 07 06:46:20 2015] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.14 with Suhosin-Patch configured -- resuming normal operations
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
[Mon Jun 08 04:27:03 2015] [notice] caught SIGTERM, shutting down
[Mon Jun 08 04:27:04 2015] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.14 with Suhosin-Patch configured -- resuming normal operations
[Mon Jun 08 04:27:08 2015] [error] server reached MaxClients setting, consider raising the MaxClients setting

I do send email newsletter through MailChimp, but I would assume MailChimp is doing the work. Who is sending emails through my site then? Is there a way to stop this email-sending activity?

Kind of a newbie here, any help is very welcome!

Allen

6 Replies

Take a look at /var/log/mail.log to see what mail activity is happening on your machine. The error message you posted seems to imply that you don't even have a mail server installed.

Hi Vance,

Thank you for your reply! It turned out something else is causing downtime. This is bizarre.

PROBLEM

The site (onefunnyjoke.com) goes down randomly on a daily basis, since around May 1st.

WHAT I HAVE TRIED

  • Contacted Linode and made sure the server is ok.

  • Restarted the server and apache. This makes the site live again, temporarily.

  • Restored the website and a recently-updated plugin to an older version. Haven't tuned apache2.conf for over a year.

OTHER CLUES

  • When the site is down, I can still ping it successfully.

  • When the site is down, it loads very slow with a blank page, then end up with CloudFlare error 522 or 520 or 524.

  • I use CloudFlare. No recent changes to the service though.

  • Even when error log shows nothing, the site still goes down.

  • CUP usage is low. Space and memory are both enough.

  • Restarting Apache seems to fix the site temporarily, so might have something to do with apache?

I will open another topic if needed. Also, is there debugging service out there that I can hire?

Again, thank you. Any help is very welcome. Please let me know if you want to see any command's output.

Allen

Sounds like you may want to tune the settings for Apache and your database. As a stopgap measure, you could install something like monit to restart services that become stuck.

@Vance:

Sounds like you may want to tune the settings for Apache and your database. As a stopgap measure, you could install something like monit to restart services that become stuck.

Hi Vance,

Thank you for your reply! I have tried tuning my Apache, but it only made it worse. After viewing the access log, I noticed that there was a "googlebot" IP attacking the wordpress xmlrpc.php file (why?). I have blocked the IP. I will update this post and report the result.

Even though the xmlrpc.php attack is gone after I blocked the IP, I am still seeing quite a lot "post /wp-admin/admin-ajax.php" from different IPs in the access log…not sure if it's something I need to worry about.

Allen

So the problem is solved.

After I blocked the attacking IP, it got a little better, but was still experiencing downtime. I noticed that some other random IPs were constantly reading admin-ajax.php (a wordpress file). I ended up adding the code from the following link to my htaccess file.

http://cornercubicle.net/8-steps-develo … wordpress/">http://cornercubicle.net/8-steps-developers-should-take-to-secure-wordpress/ (The code in "Step 6")

That fixed the issue. It also disabled some ajax functionalities in the wordpress platform, but it's not critical at all in my case.

Hope it helps, future people!

Allen

Abusing admin-ajax.php file is a common problem, check access logs and see which IP is hitting admin-ajax.php

You can block that IP or if it is any bots please create entries in robots.txt to disable admin-ajax.php

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct