I think someone is sending spam emails through my site
My site has been very unstable for months, I finally tracked down the possible cause: Apache keeps crashing because some unknown email activities causing MaxClients being reached (if that makes any sense..).
This is what I see in /var/log/apache2/error.log.
[Sun Jun 07 06:46:20 2015] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.14 with Suhosin-Patch configured -- resuming normal operations
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
sh: 1: /usr/sbin/sendmail: not found
[Mon Jun 08 04:27:03 2015] [notice] caught SIGTERM, shutting down
[Mon Jun 08 04:27:04 2015] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.14 with Suhosin-Patch configured -- resuming normal operations
[Mon Jun 08 04:27:08 2015] [error] server reached MaxClients setting, consider raising the MaxClients setting
I do send email newsletter through MailChimp, but I would assume MailChimp is doing the work. Who is sending emails through my site then? Is there a way to stop this email-sending activity?
Kind of a newbie here, any help is very welcome!
Allen
6 Replies
Thank you for your reply! It turned out something else is causing downtime. This is bizarre.
PROBLEM
The site (onefunnyjoke.com) goes down randomly on a daily basis, since around May 1st.
WHAT I HAVE TRIED
Contacted Linode and made sure the server is ok.
Restarted the server and apache. This makes the site live again, temporarily.
Restored the website and a recently-updated plugin to an older version. Haven't tuned apache2.conf for over a year.
OTHER CLUES
When the site is down, I can still ping it successfully.
When the site is down, it loads very slow with a blank page, then end up with CloudFlare error 522 or 520 or 524.
I use CloudFlare. No recent changes to the service though.
Even when error log shows nothing, the site still goes down.
CUP usage is low. Space and memory are both enough.
Restarting Apache seems to fix the site temporarily, so might have something to do with apache?
I will open another topic if needed. Also, is there debugging service out there that I can hire?
Again, thank you. Any help is very welcome. Please let me know if you want to see any command's output.
Allen
monit
@Vance:
Sounds like you may want to tune the settings for Apache and your database. As a stopgap measure, you could install something like
to restart services that become stuck. monit
Hi Vance,
Thank you for your reply! I have tried tuning my Apache, but it only made it worse. After viewing the access log, I noticed that there was a "googlebot" IP attacking the wordpress xmlrpc.php file (why?). I have blocked the IP. I will update this post and report the result.
Even though the xmlrpc.php attack is gone after I blocked the IP, I am still seeing quite a lot "post /wp-admin/admin-ajax.php" from different IPs in the access log…not sure if it's something I need to worry about.
Allen
After I blocked the attacking IP, it got a little better, but was still experiencing downtime. I noticed that some other random IPs were constantly reading admin-ajax.php (a wordpress file). I ended up adding the code from the following link to my htaccess file.
That fixed the issue. It also disabled some ajax functionalities in the wordpress platform, but it's not critical at all in my case.
Hope it helps, future people!
Allen
You can block that IP or if it is any bots please create entries in robots.txt to disable admin-ajax.php