New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
"sysguardd" mail relay - automatic detection methods?
We've been getting these "sysguardd" mail relays lately:
[damian@diamond ~]$ vzps aux -E 482
VEID USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
482 48 4210 0.0 0.0 10024 2660 ? S 02:32 0:00 /usr/sbin/httpd
482 0 369050 0.0 0.0 2156 668 ? S Jun01 0:00 init [3]
482 0 369244 0.0 0.0 2260 560 ? S< Jun01 0:00 /sbin/udevd -d
482 0 369574 0.0 0.0 1812 612 ? S Jun01 0:00 syslogd -m 0
482 0 369612 0.0 0.0 7200 1064 ? S Jun01 0:00 /usr/sbin/sshd
482 0 369621 0.0 0.0 2832 856 ? S Jun01 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
482 0 372791 2.6 0.1 77888 55568 ? S Jun01 14:11
482 0 387664 0.0 0.0 9300 1876 ? S Jun01 0:01 sendmail: accepting connections
482 51 389982 0.0 0.0 8252 1480 ? S Jun01 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
482 0 389992 0.0 0.0 10024 2848 ? S Jun01 0:00 /usr/sbin/httpd
482 48 389994 0.0 0.0 10024 2664 ? S Jun01 0:00 /usr/sbin/httpd
482 0 390001 0.0 0.0 4492 1104 ? S Jun01 0:00 crond
482 0 390009 0.0 0.0 5680 696 ? S Jun01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
482 0 390010 0.0 0.0 5680 436 ? S Jun01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
482 48 913692 0.0 0.0 10024 2664 ? S Jun01 0:00 /usr/sbin/httpd
[damian@diamond ~]$ sudo /usr/sbin/lsof -p 372791
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sysguardd 372791 root cwd DIR 144,120 4096 598967657 /vz/root/482/root
sysguardd 372791 root rtd DIR 144,120 4096 598868357 /vz/root/482
sysguardd 372791 root txt REG 144,120 1233880 615809434 /vz/root/482/usr/local/sysguard/sbin/sysguardd
sysguardd 372791 root mem REG 8,19 615809434 /vz/root/482/usr/local/sysguard/sbin/sysguardd (path dev=144,120)
sysguardd 372791 root 0r FIFO 0,6 0t0 509412943 pipe
sysguardd 372791 root 1w FIFO 0,6 0t0 509412943 pipe
sysguardd 372791 root 2u IPv4 509412944 0t0 UDP *:38628
sysguardd 372791 root 3u IPv4 509412945 0t0 TCP *:icl-twobase3 (LISTEN)
sysguardd 372791 root 4u IPv4 510270432 0t0 TCP 68.171.101.139:icl-twobase3->dedipool1-56.alfatelecom.org:39177 (ESTABLISHED)
sysguardd 372791 root 5r FIFO 0,6 0t0 509678324 pipe
sysguardd 372791 root 6w FIFO 0,6 0t0 509678324 pipe
This copy/pasted kinda crappy, here's the same thing on pastebin: http://pastebin.com/Tie97g2G
It's difficult for me to find it with a cron script, because it doesn't list anything in the command column of the output of ps. Anyone have any advice for an automatic system for detecting these?