The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim, blank cwd parameter

Discussion in 'E-mail Discussions' started by pjabol, Mar 4, 2016.

  1. pjabol

    pjabol Registered

    Joined:
    Mar 4, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    hi Everyone,

    I have a problem with exim log. from time to time I have a spam script from my clients account. Till now I was searching of script file by cwd line in exim_mainlog, but now suddenly cwd parameter id always
    Code:
    cwd=/
    no matter from what account I send or script.

    I also tried to use SMTP_BLOCK and FKA SMTP Tweak but that did not solve spam problem.
    also when i turned on FKA SMTP Tweak i got a notice when csf was restarting:
    Lower is example of cwd=/
    first od normal email send, second of spam mail

    Code:
    016-03-04 13:07:15 [28431] 1aboVn-0007OZ-Cy <= me@server.com H=xxx.xxx.xxx.xxx [IP]:59612 I=[IP]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no SNI="server.com" A=dovecot_plain:me@server.com S=622 M8S=0 id=7319EEC4-32F2-43FE-A9C2-C0E052C36EE0@server.com T="test" from <me@server.com> for me@otherserver.com
    2016-03-04 13:07:15 [28436] cwd=/ 3 args: /usr/sbin/exim -Mc 1aboVn-0007OZ-Cy
    2016-03-04 13:07:15 [28436] 1aboVn-0007OZ-Cy SMTP connection outbound 1457093235 1aboVn-0007OZ-Cy server.com me@otherserver.com
    Code:
    2016-03-04 13:26:15 [22051]
    2016-03-04 13:26:15 [22051] 1abooB-0005jf-LF <= fakename@domain.com U=tanza557 P=local S=1441 M8S=0 id=8a2befb562c19bf95a2918e50da535d7@domain.comT="FastLove Call" from <fakename@domain.com> for xxx@gmail.com
    2016-03-04 13:26:15 [22056] cwd=/ 3 args: /usr/sbin/exim -Mc 1abooB-0005jf-LF
    2016-03-04 13:26:15 [22057] cwd=/ 4 args: /usr/sbin/sendmail -t -i -ffakename@domain.com
    2016-03-04 13:26:15 [22056] 1abooB-0005jf-LF SMTP connection outbound 1457094375 1abooB-0005jf-LF domain.com xxx@gmail.com
    
    and the data of mail control (from WHM)
    Code:
    user 533 500
    <fakename@domain.com>
    1457086136 0
    -ident user
    -received_protocol local
    -body_linecount 36
    -max_received_linelength 104
    -auth_id tanza557
    -auth_sender user@server.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    -sender_set_untrusted
    XX
    1
    xxx@aol.com
    Does any one have any idea why CWD has become only a / instead of a full path?

    Oh, the serve is on
    • CENTOS 6.7 x86_64 kvm
    • WHM 54.0 (build 18)

    Thanks for help.
     
    #1 pjabol, Mar 4, 2016
    Last edited by a moderator: Mar 4, 2016
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  3. nickl_sa

    nickl_sa Registered

    Joined:
    Nov 6, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Hi there

    Now and again I SSH into my server to check if any spam scripts are running using the following code -

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    Today a got a report as follows -

    Code:
          6 /home/graphicm/public_html
          6 /home/kellydan/public_html
          6 /root
          8 /home/infracom
         10 /home/sardinia/public_html
         13 /home/bruniquelco/public_html
         16 /home/slenderw/public_html
         17 /home/pro3agen/public_html
         18
         30 /home/hoorawhi/public_html
         33 /home/stylemec
         38 /home/wbgroupc
        170 /home/propergr
      31309 /
    What does the 31309 (and climbing) messages in the / directory mean? There's no spam mails in the outgoing mail queue. How can I check the source of these mails?

    Thanks

    Nick
     
  4. hoststage

    hoststage Member

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I really want to put it out there that the recent exim update isn't welcome at all :

    csf no longer processing LF_SCRIPT_ALERT | ConfigServer Services Blog

    Exim doens't seem to return the proper path when scripts are sending emails.

    Please do something about that.
    We were about to invest 2 days ago into some custom script working from this feature.

    If you could restore it, it would be hugely appreciated.
     
  5. hoststage

    hoststage Member

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Noticed the same thing. And latest info, is that an Exim update shall be released soon, it will be fixed.
    @Jcats it was indeed from Exim CVE-2016-1531
     
  6. hoststage

    hoststage Member

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Apparently, update on its way, can't wait for it.
     
  7. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hope so!
     
  8. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  9. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I bet this is part of the Exim update. Give us a few days and we have a patch that will fix this.

    Thanks!
     
  10. hoststage

    hoststage Member

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Is it official or a temporary work around until an official update is released ?
    Did it work properly for you ?
     
  11. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    We can't use that patch, its used for when building exim, not after its already installed so just SOL. We've already had 3 servers get black listed, just been tailing mail logs all night.
     
  12. rahulkshinde

    rahulkshinde Registered

    Joined:
    Sep 9, 2011
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Exim logs does not shows the detailed logs


    Steps to reproduce:

    cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-02'| less

    above command shows output :

    2016-03-02 01:00:02 cwd=/home/##### 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root
    2016-03-02 01:06:04 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:06:10 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:08:14 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:08:16 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:10:02 cwd=/home/#####/ 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f ro

    where as :

    cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-04'| less


    does not show anything , we have confirmed and stopped the active spamming from this server but still logs did not collect any CWD paths

    This has been since the Exim CVE-2016-1531 update.

    Result of this our malware quarantine script stop working as its not getting the path. We have submitted a ticket to Support and they have recognize this as Bug CPANEL-4597.
     
  13. Robert Duller

    Robert Duller Registered

    Joined:
    Mar 7, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Uk
    cPanel Access Level:
    Root Administrator
    any update on this yet?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The lack of a specific current working directory (cwd) entry in /var/log/exim_mainlog stems from the recent Exim security patch:

    CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

    Internal case CPANEL-4597 addresses the issue and restores the previous functionality related to the "cwd" entry in the Exim logs. The resolution is already complete, so it's just a matter of completing internal testing before pushing it out to the public. You can monitor our change log to see when the resolution is released:

    Change Logs - Documentation - cPanel Documentation

    Note: I've merged multiple posts related to this issue into this thread.

    Thank you.
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, the resolution is now published to the "Current" and "Release" build tiers as part of cPanel version 54.0.19:

    Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line.

    Thank you.
     
  16. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Woo hoo! Thank you!
     
  17. hoststage

    hoststage Member

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Yeehhaa! Way to go cPanel!
     
  18. rahulkshinde

    rahulkshinde Registered

    Joined:
    Sep 9, 2011
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the quick resolution on this guys :)
     
Loading...

Share This Page