Email Problem: failed to open /etc/vfilters/domain-name.com

[antispam]

I've searched the Forum (Google also) but found no relevant info.

Suddenly, today, our server (CENTOS 6.3 x86_64 standard – WHM 11.34.1 (build 6))
stopped receiving e-mail messages.

On /var/log/exim_mainlog I found thousands of entries like:
R=central_filter defer (-1): failed to open /etc/vfilters/domain-name-X.com: Permission denied (euid=558 egid=557)
(for all domain names hosted on the server).

In /etc/vfilters, files were 640 (on access permission), owned by the appropriate user and the group was "mail". It seems normal.

However, the /etc/vfilters folder was owned by a reseller (e.g. reseller3), the group was "mail" and permissions were 640 (rw for owner, read for group, no access for others).

The same happened with valiases, vdomainaliases.
ls -ld /etc/v*
drw-r----- 2 reseller3 mail 12K Jan 9 11:41 valiases
drw-r----- 2 reseller3 mail 12K Jan 9 11:41 vdomainaliases
drw-r----- 2 reseller3 mail 12K Jan 9 17:59 vfilters

After changing permissions to 755, the errors have been eliminated and the mail messages are delivered normally.
ls -ld /etc/v*
drwxr-xr-x 2 reseller3 mail ****12K Jan ****9 11:41 valiases
drwxr-xr-x 2 reseller3 mail ****12K Jan ****9 11:41 vdomainaliases
drwxr-xr-x 2 reseller3 mail ****12K Jan ****9 17:59 vfilters

I have no clue how the owner was changed and why, or why the permissions missed the execute bit for the directories.

Any ideas?

 

[cPanelMichael]

Hello

Is it possible that someone with root access manually modified the permissions and ownership values? You may want to check the /root/.bash_history file to see if you notice any "chown" or "chmod" commands that could have made these changes.

Thank you.