Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: Drifting on June 17, 2014, 01:20:57 PM
-
Hi,
Wonder if someone can shed some light as to what is going on? in TOP I have about 12 processes of Clamscan, the server is crawling and I have hundreds of these in the mail log :-
2014-06-17 11:25:18.648070500 new msg 10125838
2014-06-17 11:25:18.648071500 info msg 10125838: bytes 691 from <anonymous@fred.local> qp 16779 uid 0
2014-06-17 11:25:18.746258500 starting delivery 34623: msg 10125838 to local alias-localdelivery-admin@fred.local
2014-06-17 11:25:18.746259500 status: local 1/20 remote 0/20
2014-06-17 11:25:18.847148500 new msg 10125857
2014-06-17 11:25:18.847149500 info msg 10125857: bytes 819 from <anonymous@fred.local> qp 16782 uid 400
2014-06-17 11:25:18.907306500 starting delivery 34624: msg 10125857 to local admin@ow05.fred.local
2014-06-17 11:25:18.907307500 status: local 2/20 remote 0/20
2014-06-17 11:25:18.907307500 delivery 34623: success: forward:_qp_16782/did_0+0+1/
2014-06-17 11:25:18.907308500 status: local 1/20 remote 0/20
2014-06-17 11:25:18.907308500 end msg 10125838
TOP produced this :-
15678 qpsmtpd 25 0 35888 1108 892 R 7.0 0.1 4:20.79 clamdscan
14721 qpsmtpd 25 0 35888 1108 892 R 6.6 0.1 6:39.76 clamdscan
14802 qpsmtpd 25 0 35888 1108 892 R 6.6 0.1 6:06.68 clamdscan
14848 qpsmtpd 25 0 35888 1112 892 R 6.6 0.1 5:54.79 clamdscan
15582 qpsmtpd 25 0 35888 1112 892 R 6.6 0.1 4:35.77 clamdscan
15655 qpsmtpd 25 0 35888 1108 892 R 6.6 0.1 4:33.27 clamdscan
15704 qpsmtpd 25 0 35888 1112 892 R 6.6 0.1 4:17.79 clamdscan
15862 qpsmtpd 25 0 35888 1112 892 R 6.6 0.1 4:02.98 clamdscan
16012 qpsmtpd 25 0 35888 1108 892 R 6.3 0.1 3:56.38 clamdscan
14716 qpsmtpd 25 0 35888 1108 892 R 5.0 0.1 6:45.39 clamdscan
16146 qpsmtpd 25 0 35888 1112 892 R 4.0 0.1 3:46.12 clamdscan
14663 qpsmtpd 25 0 35888 1112 892 R 3.7 0.1 7:50.93 clamdscan
14726 qpsmtpd 25 0 35888 1108 892 R 3.7 0.1 6:28.06 clamdscan
14731 qpsmtpd 25 0 35888 1108 892 R 3.7 0.1 6:20.47 clamdscan
14788 qpsmtpd 25 0 35888 1108 892 R 3.7 0.1 6:25.38 clamdscan
16020 qpsmtpd 25 0 35888 1112 892 R 3.7 0.1 3:52.47 clamdscan
16039 qpsmtpd 25 0 35888 1108 892 R 3.7 0.1 3:49.49 clamdscan
16123 qpsmtpd 25 0 35884 1108 892 R 3.7 0.1 3:47.49 clamdscan
16268 qpsmtpd 25 0 35888 1108 892 R 3.7 0.1 3:37.80 clamdscan
3868 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 18096:00 clamdscan
14639 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 9:07.34 clamdscan
14687 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 7:39.54 clamdscan
14693 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 7:21.53 clamdscan
14711 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 6:44.84 clamdscan
14795 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 6:13.65 clamdscan
14816 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 6:07.19 clamdscan
15346 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 4:50.59 clamdscan
15629 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 4:31.97 clamdscan
15653 qpsmtpd 25 0 35888 1108 892 R 3.3 0.1 4:31.98 clamdscan
15769 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 4:09.48 clamdscan 15832 qpsmtpd 25 0 35888 1112 892 R 3.3 0.1 4:05.50 clamdscan
Any help very much appreciated, not sure where the problem lies, some pointers would really help
Paul
-
is there anything interesting in clamd / clamscan logo?
-
is there anything interesting in clamd / clamscan logo?
Only the below.
Clamd/current
2014-06-16 21:43:26.343295500 LibClamAV Warning: Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld, please manually remove one of them
2014-06-16 21:43:30.601707500 Database correctly reloaded (3413298 signatures)
2014-06-16 22:23:32.754000500 SelfCheck: Database status OK.
2014-06-16 22:54:47.311768500 SelfCheck: Database status OK.
2014-06-16 23:50:58.711120500 SelfCheck: Database status OK.
2014-06-17 00:42:37.693322500 SelfCheck: Database status OK.
2014-06-17 01:12:37.720265500 SelfCheck: Database status OK.
2014-06-17 01:42:37.748103500 SelfCheck: Database status OK.
2014-06-17 02:12:37.776810500 SelfCheck: Database status OK.
2014-06-17 02:52:00.669962500 SelfCheck: Database status OK.
2014-06-17 03:22:00.698667500 SelfCheck: Database status OK.
2014-06-17 04:16:45.233988500 SelfCheck: Database status OK.
2014-06-17 05:00:39.777392500 SelfCheck: Database status OK.
2014-06-17 05:34:25.520678500 SelfCheck: Database status OK.
2014-06-17 06:27:19.730856500 SelfCheck: Database status OK.
2014-06-17 06:44:02.180561500 Reading databases from /var/clamav
2014-06-17 06:44:04.619205500 LibClamAV Warning: Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld, please manually remove one of them
2014-06-17 06:44:09.240901500 Database correctly reloaded (3413795 signatures)
2014-06-17 07:32:50.164604500 SelfCheck: Database status OK.
2014-06-17 08:03:38.687514500 SelfCheck: Database status OK.
2014-06-17 08:49:34.837739500 SelfCheck: Database status OK.
2014-06-17 09:22:45.709716500 SelfCheck: Database status OK.
2014-06-17 09:52:47.143237500 SelfCheck: Database status OK.
2014-06-17 10:08:40.672816500 Waiting for all threads to finish
2014-06-17 10:08:40.952894500 Shutting down the main socket.
2014-06-17 10:08:40.952952500 --- Stopped at Tue Jun 17 10:08:40 2014 (This part was me trying to stop whatever was casing the 100%)
2014-06-17 10:08:40.952956500 Closing the main socket.
2014-06-17 10:08:40.952991500 Socket file removed.
/var/log/clamd/clamscan.log: Viewed at Tue 17 Jun 2014 01:19:01 PM BST.
-------------------------------------------------------------------------------
----------- SCAN SUMMARY -----------
Known viruses: 3397036
Engine version: 0.98.3
Scanned directories: 2802
Scanned files: 80115
Infected files: 0
Data scanned: 23467.74 MB
Data read: 14707.42 MB (ratio 1.60:1)
Time: 3648.630 sec (60 m 48 s)
-------------------------------------------------------------------------------
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q706.ow05:2,S: Win.Trojan.Agent-722032 FOUND
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q706.ow05:2,S: moved to '/var/spool/clamav/quarantine/1387899967.P7872Q706.ow05:2,S'
/home/e-smith/files/users/robert/Maildir/cur/1387899968.P7872Q714.ow05:2,S: Win.Trojan.Agent-722032 FOUND
/home/e-smith/files/users/robert/Maildir/cur/1387899968.P7872Q714.ow05:2,S: moved to '/var/spool/clamav/quarantine/1387899968.P7872Q714.ow05:2,S'
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q711.ow05:2,S: Win.Trojan.Agent-722032 FOUND
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q711.ow05:2,S: moved to '/var/spool/clamav/quarantine/1387899967.P7872Q711.ow05:2,S'
/home/e-smith/files/users/robert/Maildir/cur/1387899968.P7872Q712.ow05:2,S: Win.Trojan.Agent-722032 FOUND
/home/e-smith/files/users/robert/Maildir/cur/1387899968.P7872Q712.ow05:2,S: moved to '/var/spool/clamav/quarantine/1387899968.P7872Q712.ow05:2,S'
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q708.ow05:2,S: Win.Trojan.Agent-722032 FOUND
/home/e-smith/files/users/robert/Maildir/cur/1387899967.P7872Q708.ow05:2,S: moved to '/var/spool/clamav/quarantine/1387899967.P7872Q708.ow05:2,S'
----------- SCAN SUMMARY -----------
Known viruses: 3408883
Engine version: 0.98.3
Scanned directories: 2814
Scanned files: 83784
Infected files: 5
Data scanned: 24575.34 MB
Data read: 15418.75 MB (ratio 1.59:1)
Time: 4320.477 sec (72 m 0 s)
-
Still doing this? anyone any suggestions?
-
Looks like you're being overloaded by mails, and your server can't follow (I guess it's a low-end CPU, or doesn't have enough RAM, or both). You should first try to identify where those mails are coming from (tailf /var/log/qpsmtpd/current | grep logterse | tai64nlocal). Then, either fixe the machine which is sending too much mails, or block it if it's not under your control