Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim, blank cwd parameter

Discussion in 'E-mail Discussion' started by pjabol, Mar 4, 2016.

  1. pjabol

    pjabol Registered

    Joined:
    Mar 4, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    hi Everyone,

    I have a problem with exim log. from time to time I have a spam script from my clients account. Till now I was searching of script file by cwd line in exim_mainlog, but now suddenly cwd parameter id always
    Code:
    cwd=/
    no matter from what account I send or script.

    I also tried to use SMTP_BLOCK and FKA SMTP Tweak but that did not solve spam problem.
    also when i turned on FKA SMTP Tweak i got a notice when csf was restarting:
    Lower is example of cwd=/
    first od normal email send, second of spam mail

    Code:
    016-03-04 13:07:15 [28431] 1aboVn-0007OZ-Cy <= me@server.com H=xxx.xxx.xxx.xxx [IP]:59612 I=[IP]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no SNI="server.com" A=dovecot_plain:me@server.com S=622 M8S=0 id=7319EEC4-32F2-43FE-A9C2-C0E052C36EE0@server.com T="test" from <me@server.com> for me@otherserver.com
    2016-03-04 13:07:15 [28436] cwd=/ 3 args: /usr/sbin/exim -Mc 1aboVn-0007OZ-Cy
    2016-03-04 13:07:15 [28436] 1aboVn-0007OZ-Cy SMTP connection outbound 1457093235 1aboVn-0007OZ-Cy server.com me@otherserver.com
    Code:
    2016-03-04 13:26:15 [22051]
    2016-03-04 13:26:15 [22051] 1abooB-0005jf-LF <= fakename@domain.com U=tanza557 P=local S=1441 M8S=0 id=8a2befb562c19bf95a2918e50da535d7@domain.comT="FastLove Call" from <fakename@domain.com> for xxx@gmail.com
    2016-03-04 13:26:15 [22056] cwd=/ 3 args: /usr/sbin/exim -Mc 1abooB-0005jf-LF
    2016-03-04 13:26:15 [22057] cwd=/ 4 args: /usr/sbin/sendmail -t -i -ffakename@domain.com
    2016-03-04 13:26:15 [22056] 1abooB-0005jf-LF SMTP connection outbound 1457094375 1abooB-0005jf-LF domain.com xxx@gmail.com
    
    and the data of mail control (from WHM)
    Code:
    user 533 500
    <fakename@domain.com>
    1457086136 0
    -ident user
    -received_protocol local
    -body_linecount 36
    -max_received_linelength 104
    -auth_id tanza557
    -auth_sender user@server.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    -sender_set_untrusted
    XX
    1
    xxx@aol.com
    Does any one have any idea why CWD has become only a / instead of a full path?

    Oh, the serve is on
    • CENTOS 6.7 x86_64 kvm
    • WHM 54.0 (build 18)

    Thanks for help.
     
    #1 pjabol, Mar 4, 2016
    Last edited by a moderator: Mar 4, 2016
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nickl_sa

    nickl_sa Registered

    Joined:
    Nov 6, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Hi there

    Now and again I SSH into my server to check if any spam scripts are running using the following code -

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    Today a got a report as follows -

    Code:
          6 /home/graphicm/public_html
          6 /home/kellydan/public_html
          6 /root
          8 /home/infracom
         10 /home/sardinia/public_html
         13 /home/bruniquelco/public_html
         16 /home/slenderw/public_html
         17 /home/pro3agen/public_html
         18
         30 /home/hoorawhi/public_html
         33 /home/stylemec
         38 /home/wbgroupc
        170 /home/propergr
      31309 /
    What does the 31309 (and climbing) messages in the / directory mean? There's no spam mails in the outgoing mail queue. How can I check the source of these mails?

    Thanks

    Nick
     
  4. hoststage

    hoststage Member
    PartnerNOC

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I really want to put it out there that the recent exim update isn't welcome at all :

    csf no longer processing LF_SCRIPT_ALERT | ConfigServer Services Blog

    Exim doens't seem to return the proper path when scripts are sending emails.

    Please do something about that.
    We were about to invest 2 days ago into some custom script working from this feature.

    If you could restore it, it would be hugely appreciated.
     
  5. hoststage

    hoststage Member
    PartnerNOC

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Noticed the same thing. And latest info, is that an Exim update shall be released soon, it will be fixed.
    @Jcats it was indeed from Exim CVE-2016-1531
     
  6. hoststage

    hoststage Member
    PartnerNOC

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Apparently, update on its way, can't wait for it.
     
  7. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hope so!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    751
    Likes Received:
    11
    Trophy Points:
    143
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I bet this is part of the Exim update. Give us a few days and we have a patch that will fix this.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. hoststage

    hoststage Member
    PartnerNOC

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Is it official or a temporary work around until an official update is released ?
    Did it work properly for you ?
     
  11. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    We can't use that patch, its used for when building exim, not after its already installed so just SOL. We've already had 3 servers get black listed, just been tailing mail logs all night.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rahulkshinde

    rahulkshinde Member

    Joined:
    Sep 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    126
    Location:
    Nashik Maharastra India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Exim logs does not shows the detailed logs


    Steps to reproduce:

    cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-02'| less

    above command shows output :

    2016-03-02 01:00:02 cwd=/home/##### 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root
    2016-03-02 01:06:04 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:06:10 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:08:14 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:08:16 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-03-02 01:10:02 cwd=/home/#####/ 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f ro

    where as :

    cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-04'| less


    does not show anything , we have confirmed and stopped the active spamming from this server but still logs did not collect any CWD paths

    This has been since the Exim CVE-2016-1531 update.

    Result of this our malware quarantine script stop working as its not getting the path. We have submitted a ticket to Support and they have recognize this as Bug CPANEL-4597.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Robert Duller

    Robert Duller Registered

    Joined:
    Mar 7, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Uk
    cPanel Access Level:
    Root Administrator
    any update on this yet?
     
  14. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    The lack of a specific current working directory (cwd) entry in /var/log/exim_mainlog stems from the recent Exim security patch:

    CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

    Internal case CPANEL-4597 addresses the issue and restores the previous functionality related to the "cwd" entry in the Exim logs. The resolution is already complete, so it's just a matter of completing internal testing before pushing it out to the public. You can monitor our change log to see when the resolution is released:

    Change Logs - Documentation - cPanel Documentation

    Note: I've merged multiple posts related to this issue into this thread.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    To update, the resolution is now published to the "Current" and "Release" build tiers as part of cPanel version 54.0.19:

    Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Woo hoo! Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. hoststage

    hoststage Member
    PartnerNOC

    Joined:
    Oct 12, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Yeehhaa! Way to go cPanel!
     
  18. rahulkshinde

    rahulkshinde Member

    Joined:
    Sep 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    126
    Location:
    Nashik Maharastra India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for the quick resolution on this guys :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice