1

I am taking care of an ubuntu server (22.04) and suddenly I was not able to access some files via FTP. I checked a few things and noticed a gpg root process consuming a lot of CPU. It kept restarting as I killed it so I did the next:

  1. Shut down the machine
  2. Boot in recovery mode
  3. run clamscan -r /

I was afraid this could be ransomware so that's why I got paranoid. Clamscan hasn't thrown any result yet, but I expect it won't.

Before powering it off, I also saw a lot of postfix processes that could not be killed (after killing them, they kept restarting). I don't know how to relate those two things, but I had never seen these many postfix processes.

/var/log/mail.log is 8Gb and /var/log/syslog was shows a lot of weird activity related to this (exactly the same appears in /var/log/mail.log):

Feb 13 00:00:00 server3 postfix/cleanup[1734228]: 7F9D6B2A95: message-id=>22301258... Feb 13 00:00:00 server3 postfix/local[1735989]: A40CDB220C5: to=<owner-owner-owner-owner-owner-owner-owner-owner-owner......

This goes on forever

Here is the suspicious thing, /var/log/mail.err shows these errors:

"fatal: root(0): message too big" as if something is trying to either attach large files or the "owner-owner-owner" text is huge.

I also saw that two other machines in the network had the same postfix issue, but not with gpg.

Any experience with these issues is welcome. Anyone that also has any insight would be very helpful. Do you think the gpg process might have been ransomware? what to do about it if clamscan does not find anything?

Improve this question

1 Answer 1

Reset to default
1

No, that just sounds like you have a mail loop where the same message is being cycled through the system (or possibly between two systems) over and over. The processes you saw were trying to deliver copies of the message; they reappear because there are still more copies to deliver. (Perhaps some of them are automatic "failed to deliver message" messages which themselves somehow trigger multiple copies of themselves.)

(If I had to guess, there's a "mailing list" setup involved somewhere which at first accepted "foo" as the list name and tried to deliver the message to "foo-owner", which is a common alias format for mailing-list administrators... but then interpreted "foo-owner" as a list name again, and tried to deliver the message to "foo-owner-owner", etc.)

Run mailq and take a look at the SMTP queue. If necessary, use postsuper -h ALL to put all of the messages on hold for manual inspection (they're in /var/spool/postfix) or -d ALL to delete all waiting messages.

Improve this answer
1
  • That makes sense. Very helpful, thank you
    – Jorge
    Commented Feb 15, 2023 at 12:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .