Email sending as root - possible solutions.

crystalfat

Member
Mar 3, 2015
7
0
1
cPanel Access Level
Root Administrator
Hi there,

I wonder if anyone could point me in the right direction, yes i have read the prevent abuse doc but i fear a compromise may already have taken place.

Here is what i have so far;

On the mail delivery reports there are two emails trying to send from the root user every 8 mins.
At first i thought because it was getting deffered it was just retrying but it seems as though it gets rejected first and then deferred. There is no sign of it in the mail Queue manager.

Any advice is appreciated
Please find the log below;

Code:
Event: defer warning
Sender User: root
Sender Domain:
Sender: [email protected]
Sent Time: Mar 5, 2015 8:42:08 AM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 0
Recipient: [email protected]
Delivered To:
deliveryuser:
deliverydomain:
Router: lookuphost
Transport: remote_smtp
Out Time: Mar 5, 2015 8:42:08 AM
ID: 1YTRMI-00056c-2i
Delivery Host:
Delivery IP:
Size: 802 bytes
Result: remote host address is the local host
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello :)

Are you able to determine the source of the message by reviewing /var/log/exim_mainlog for messages coming from "root"?

Thank you.
 

crystalfat

Member
Mar 3, 2015
7
0
1
cPanel Access Level
Root Administrator
Hello :)

Are you able to determine the source of the message by reviewing /var/log/exim_mainlog for messages coming from "root"?

Thank you.
Thank you for the response.
I am not well versed enough to search for a string in what i assume will be a huge file?
i did try to locate the message details using the ID however the message had been deleted. when the message is sent it is deferred for a retry and then when retried it is deleted. It doesnt seem to log.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
You can use the "exigrep" utility to search /var/log/exim_mainlog. EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Thank you.
 

crystalfat

Member
Mar 3, 2015
7
0
1
cPanel Access Level
Root Administrator
This is what i got from the mainlog. It

Code:
2015-03-05 18:37:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YTaeT-0000Ho -O2

2015-03-05 18:37:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1YTaeT-0000Ho-O2

2015-03-05 18:37:42 1YTaeT-0000Ho-O2 <= [email protected] U= root P=local S=777 T="lfd on Vps.mydomain.com: SSH login alert f or user root from 82.17.147.242 (GB/United" for root
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 remote host address is the local host: vps. mydomain.com
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 == [email protected] R= lookuphost defer (-1): remote host address is the local host
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 ** [email protected]: r etry timeout exceeded
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 Completed

2015-03-05 18:37:42 1YTaeU-0000I7-DI <= <> R=1YTaeT-0000Ho-O2 U=mailnull P=local S=1730 T="Mail delivery failed: returning message to sender" for [email protected] mydomain.com
2015-03-05 18:37:42 1YTaeU-0000I7-DI remote host address is the local host: vps. mydomain.com
2015-03-05 18:37:42 1YTaeU-0000I7-DI == [email protected] R= dkim_lookuphost defer (-1): remote host address is the local host
2015-03-05 18:37:42 1YTaeU-0000I7-DI ** [email protected]: r etry timeout exceeded
2015-03-05 18:37:42 1YTaeU-0000I7-DI [email protected]: erro r ignored
2015-03-05 18:37:42 1YTaeU-0000I7-DI Completed
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
It looks like this message stems from your LFD application. Is a valid email address configured as the "root" contact address in "WHM Home » Server Contacts » Edit System Mail Preferences"?

Thank you.
 

crystalfat

Member
Mar 3, 2015
7
0
1
cPanel Access Level
Root Administrator
It looks like this message stems from your LFD application. Is a valid email address configured as the "root" contact address in "WHM Home » Server Contacts » Edit System Mail Preferences"?

Thank you.
Having checked i can see there are no forwards set up for root, nobody or cpanel. I shall correct this now.

thanks for your help.

best
chris