Home  >  Q&A  >  body text

linux - /var/spool/clientmqueue文件夹小文件数量暴涨!

ringa_leeringa_lee2764 days ago446

reply all(3)I'll reply

  • ringa_lee

    ringa_lee2017-04-17 15:04:14

    Looks like it’s your system’s crond+sendmail fault?

    And why don’t you ls -l |grep "^-"|wc -l use this find -type f|. .

    update: /www/web/xxx_com/public_html/includes/msn/1.shWhat is this?

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 15:04:14

    Use systemtap or audit to record what program caused it. Of course, if it is generated frequently, you can also use sysdig to get it.

    You can also open htop to see what processes there are, and then guess (you can press u and select the user). Then go to strace to see if you are lucky enough.

    reply
    0
  • 天蓬老师

    天蓬老师2017-04-17 15:04:14

    The problem is solved, let’s talk about the process:

    At the end of April, the website was hit by a Trojan horse, and the Trojan horse was deleted through investigation at that time.

    Just the day before yesterday, I found out in the morning that I could not log in to the website account. I judged from experience that it was because the server was full. I checked with df -h and found that the disk occupied 51%. If I checked again, the number of nodes was indeed full.

    Next, find a large number of fragmentary files such as qfu-xxxx in /var/spool/clientmqueue. If you use ll, it will crash. So I deleted them manually, but within a few hours, there were tens of thousands more.

    The next step is to search aimlessly and find no good solution. Through some other people's articles, I think it is because some program calls sendmail, but sendmail is not installed at all, so a large number of logs are generated.

    Just now, I suddenly remembered to see what was written in those scattered files. The forgotten ones of www cron sendmail reminded me. I ran to the crontab of www and took a look. There were dozens of calls to /www/web /xxx_com/public_html/includes/msn/1.sh records.

    Delete it and the problem is solved.

    reply
    0
  • Cancelreply