Failed to connect to socket /com/ubuntu/upstart: Cannot allocate memory

  • pass
  • 09/19/10
  • Offline
Posted: Mon, 2011-11-28 09:02

I cannot do a reboot: I get the error ' Failed to connect to socket /com/ubuntu/upstart: Cannot allocate memory' each time.

How does one determine the cause of this?


Howdy, It sounds like you

  • andreychek
  • 01/04/09
  • Offline
  • Mon, 2011-11-28 10:04

Howdy,

It sounds like you may be dealing with memory problems there... what is the output of this command:

free -m


It is is better than the

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 10:10

It is is better than the other server, which is running well:

 free -m
             total       used       free     shared    buffers     cached
Mem:          1024        747        276          0          0          0
-/+ buffers/cache:        747        276
Swap:         1024          1       1022


So it seems that Postfix has

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 11:31

So it seems that Postfix has been spewing spam like crazy, and this is eating all of my available memory. What can I do here? I have no logged in users, no mail in the queue, but 20K messages!!


Hmm, what do you mean by 20k

  • andreychek
  • 01/04/09
  • Offline
  • Mon, 2011-11-28 11:58

Hmm, what do you mean by 20k messages? Where are you seeing that number?

It's really unusual for Postfix to send a large number of messages without any appearing in the mail queue.

-Eric


I know - but I flushed the

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 12:10

I know - but I flushed the mail queue, which reported 19621 messages:

postsuper -d ALL

Webmin showed zero.


My concern is that somehow,

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 12:12

My concern is that somehow, on a system that has nothing other than the base OS + virtualmin, someone was able to make use of the resources.


Well, if you see anything

  • andreychek
  • 01/04/09
  • Offline
  • Mon, 2011-11-28 12:33

Well, if you see anything like that again -- what I'd suggest doing before deleting all those is to actually view one -- look at the full headers, as well as the message body -- as the emails in your mail queue contain the info you need in order to discover their origin.

You'd be able to determine what email account they originated from, and typically whether they were sent from a web app, or directly via Postfix.

Without a copy of any of those messages, it'd be difficult to determine their cause. The best you can do is review your mail logs for any activity during the time you were experiencing the problem, as well as review the web apps you have installed on your server, and make sure they're all up to date.

-Eric


Here are the last two of

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 12:37

Here are the last two of them:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 1A247103F405C 1845 Mon Nov 28 18:54:56 MAILER-DAEMON (host mail.sponsoremail.com[46.105.165.165] said: 450 4.7.1


And: Received: from

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 12:42

And:

Received: from [xxx.xxx.xxx.xxx] by usfamily.net > (USFamily MTA v5/:PHRlc3RAc3BvbnNvcmVtYWlsLmNvbT48YW5nZWxtYXJnaWVAdXNmYW1pbHkubmV0Pg--) > with SMTP id <20111123000740002984700014> for ; > Wed, 23 Nov 2011 00:07:40 -0600 (CST) > (envelope-from test@sponsoremail.com) > Received: from User (203-113-207-177-static.TCS.netspace.net.au [203.113.207.177]) > by MY.DOMAINNAME.HERE (Postfix) with ESMTPA id C1EFE103F562E; > Tue, 22 Nov 2011 20:10:49 +0100 (CET) > Reply-To: > From: "Isabelle L. Taylor (Mrs)" > Subject: ANTI-FRAUD UNIT. > X-Source-Date: Wed, 23 Nov 2011 06:06:33 +1100 > Date: Wed, 23 Nov 2011 00:07:40 -0600 (CST) > MIME-Version: 1.0 > Content-Type: text/html; > charset="Windows-1251" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >
>
>
>
>
>
> WORLD BANK GROUP GENEVA >
> Working Together For A FRAUD FREE Society >
> Email:metro.bank@asia.com >
> Divisional Head Isabelle L. Taylor (Mrs) >
> ANTI FRAUD UNIT. >
>   >
> Attn:Beneficiary >
>   >
> This is to officially notify you that the underlisted Bank has been mandated to finally approve and release your long awaited fund to you as the beneficiary. >
> The World Bank and the International Monetary Fund (IMF) in our first quater general meeting held in Geneva January 2011 released to the below Bank over >
> (FIVE BILLION UNITEDSTATES DOLLARS) to settle all outstanding payment (DEPT) emanating from Contract payments,Inherittance,Lotto Winning, >
> Compensation and many others to qualified beneificiaries which you happen to be among. >
>   >
> If you are interested in your claim, urgently contact this bank reconfirming the following to them.And do ensure that you stop any further communication with >
> any individual or organization henceforth regarding your payment as Meto Bank has been given the sole mandate for this programme. >
>   >
> YOUR FULL NAMES >
> CONTACT ADDRESS >
> WORKING PHONE/FAX NUMBERS >
> YOUR EXPECTED AMOUNT >
> IDENTIFICATION. >
>   >
> Contact Person:George S.K. Ty >
> Metro Bank of (Asia) Philippines >
> Metro bank Plaza >
> Sen. Gil Puyat Avenue >
> Makati City 1200, Philippines >
> Website:www.metrobank.com.ph >
> Email:metro.bank@asia.com >
>   >
> Regards >
> Isabelle L. Taylor (Mrs) >
>   >
>


So, you can use the

  • andreychek
  • 01/04/09
  • Offline
  • Mon, 2011-11-28 13:00

So, you can use the information in that email you posted in order to determine the cause.

This line here may help you determine it:

Received: from User (203-113-207-177-static.TCS.netspace.net.au [203.113.207.177])
       by MY.DOMAINNAME.HERE (Postfix) with ESMTPA id C1EFE103F562E;
       Tue, 22 Nov 2011 20:10:49 +0100 (CET)

The "User" specified there, as well as the IP address following that, are likely the culprit.

That username may have had it's password compromised. So, I'd change the password of the user "User", and you might consider blocking that IP address at your firewall.

-Eric


The thing is - I never

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 13:17

The thing is - I never created the user User - that is the actual name!


What output do you receive if

  • andreychek
  • 01/04/09
  • Offline
  • Mon, 2011-11-28 14:21

What output do you receive if you run the command postconf -n?

Also, just to rule out this as a possibility, you may want to run an open relay test on your server... there's a number of ways to do that, including this site here:

http://www.abuse.net/relay.html


postconf -n alias_database =

  • pass
  • 09/19/10
  • Offline
  • Mon, 2011-11-28 14:29

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mydestination = localhost.localdomain, MY.DOMAINNAME.COM, localhost.DOMAINNAME.COM, localhost
myhostname = MY.DOMAINNAME.COM
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
sender_bcc_maps = hash:/etc/postfix/bcc
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

Relay test result All tests performed, no relays accepted.