Mail Queue Manager - Full of email failing to send to [email protected]

[RyanR]

Hi,

As the title suggests, the WHM "Mail Queue Manager" is full of emails that are "Frozen" because it's attempting to send to [email protected] even though my email address is set within "Basic WebHost Manager® Setup".

Some example emails:

LFD Warning for LiteSpeed Memcached:

--1650961381-eximdsn-236217824
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650961381-eximdsn-236217824
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650961381-eximdsn-236217824
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGTN-00Ar6W-Ml
    for [email protected];
    Tue, 26 Apr 2022 08:23:01 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Suspicious File Alert
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:23:01 +0000

Time:   Tue Apr 26 08:23:01 2022 +0000
File:   /tmp/lsmcd/core.873669
Reason: Linux Binary
Owner:  nobody:nobody (99:99)
Action: No action taken

--1650961381-eximdsn-236217824--

LFD Warning for DigitalOcean Agent:

--1650961079-eximdsn-931866689
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650961079-eximdsn-931866689
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650961079-eximdsn-931866689
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGOV-00AkIb-UF
    for [email protected];
    Tue, 26 Apr 2022 08:17:59 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Excessive resource usage: do-agent (2351 (Parent PID:2351))
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:17:59 +0000

Time:         Tue Apr 26 08:17:59 2022 +0000
Account:      do-agent
Resource:     Process Time
Exceeded:     838791 > 3600 (seconds)
Executable:   /opt/digitalocean/bin/do-agent
Command Line: /opt/digitalocean/bin/do-agent --syslog
PID:          2351 (Parent PID:2351)
Killed:       No

--1650961079-eximdsn-931866689--
Return to Mail Queue Manager.
cPanel logo
102.0.12

LFD Warning for Redis Cache:

--1650961080-eximdsn-1625606399
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650961080-eximdsn-1625606399
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650961080-eximdsn-1625606399
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGOV-00AkIq-W6
    for [email protected];
    Tue, 26 Apr 2022 08:18:00 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Excessive resource usage: redis (2327 (Parent PID:2327))
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:17:59 +0000

Time:         Tue Apr 26 08:17:59 2022 +0000
Account:      redis
Resource:     Process Time
Exceeded:     838791 > 3600 (seconds)
Executable:   /usr/bin/redis-server
Command Line: /usr/bin/redis-server 127.0.0.1:6379
PID:          2327 (Parent PID:2327)
Killed:       No

--1650961080-eximdsn-1625606399--

LFD Warning for MariaDB

--1650961079-eximdsn-195905650
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650961079-eximdsn-195905650
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650961079-eximdsn-195905650
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGOV-00AkIT-Sq
    for [email protected];
    Tue, 26 Apr 2022 08:17:59 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Excessive resource usage: mysql (2289 (Parent PID:2289))
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:17:59 +0000

Time:         Tue Apr 26 08:17:59 2022 +0000
Account:      mysql
Resource:     Process Time
Exceeded:     838791 > 3600 (seconds)
Executable:   /usr/sbin/mariadbd
Command Line: /usr/sbin/mariadbd
PID:          2289 (Parent PID:2289)
Killed:       No

--1650961079-eximdsn-195905650--

LFD Warning for Redis Cache

--1650961079-eximdsn-826844882
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650961079-eximdsn-826844882
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650961079-eximdsn-826844882
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGOV-00AkIC-Oq
    for [email protected];
    Tue, 26 Apr 2022 08:17:59 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Suspicious process running under user redis
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:17:59 +0000

Time:    Tue Apr 26 08:17:59 2022 +0000
PID:     2327 (Parent PID:2327)
Account: redis
Uptime:  838791 seconds


Executable:

/usr/bin/redis-server


Command Line (often faked in exploits):

/usr/bin/redis-server 127.0.0.1:6379


Network connections by the process (if any):

tcp: 127.0.0.1:6379 -> 127.0.0.1:48738
tcp: 127.0.0.1:6379 -> 127.0.0.1:48778


Files open by the process (if any):

/dev/null
anon_inode:[eventpoll]


Memory maps by the process (if any):

5594a00f0000-5594a01d3000 r-xp 00000000 fd:01 13142213                   /usr/bin/redis-server
5594a03d3000-5594a03d5000 r--p 000e3000 fd:01 13142213                   /usr/bin/redis-server
5594a03d5000-5594a03da000 rw-p 000e5000 fd:01 13142213                   /usr/bin/redis-server
5594a03da000-5594a03ef000 rw-p 00000000 00:00 0
7fee52000000-7fee55c00000 rw-p 00000000 00:00 0
7fee55ebc000-7fee55ebd000 ---p 00000000 00:00 0
7fee55ebd000-7fee566bd000 rw-p 00000000 00:00 0
7fee566bd000-7fee566be000 ---p 00000000 00:00 0
7fee566be000-7fee56ebe000 rw-p 00000000 00:00 0
7fee56ebe000-7fee5d400000 r--p 00000000 fd:01 2503609                    /usr/lib/locale/locale-archive
7fee5d400000-7fee5dc00000 rw-p 00000000 00:00 0
7fee5dd6b000-7fee5df2f000 r-xp 00000000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7fee5df2f000-7fee5e12e000 ---p 001c4000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7fee5e12e000-7fee5e132000 r--p 001c3000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7fee5e132000-7fee5e134000 rw-p 001c7000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7fee5e134000-7fee5e139000 rw-p 00000000 00:00 0
7fee5e139000-7fee5e150000 r-xp 00000000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7fee5e150000-7fee5e34f000 ---p 00017000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7fee5e34f000-7fee5e350000 r--p 00016000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7fee5e350000-7fee5e351000 rw-p 00017000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7fee5e351000-7fee5e355000 rw-p 00000000 00:00 0
7fee5e355000-7fee5e386000 r-xp 00000000 fd:01 8424                       /usr/lib64/libjemalloc.so.1
7fee5e386000-7fee5e585000 ---p 00031000 fd:01 8424                       /usr/lib64/libjemalloc.so.1
7fee5e585000-7fee5e587000 r--p 00030000 fd:01 8424                       /usr/lib64/libjemalloc.so.1
7fee5e587000-7fee5e588000 rw-p 00032000 fd:01 8424                       /usr/lib64/libjemalloc.so.1
7fee5e588000-7fee5e589000 rw-p 00000000 00:00 0
7fee5e589000-7fee5e58b000 r-xp 00000000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7fee5e58b000-7fee5e78b000 ---p 00002000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7fee5e78b000-7fee5e78c000 r--p 00002000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7fee5e78c000-7fee5e78d000 rw-p 00003000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7fee5e78d000-7fee5e88e000 r-xp 00000000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7fee5e88e000-7fee5ea8d000 ---p 00101000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7fee5ea8d000-7fee5ea8e000 r--p 00100000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7fee5ea8e000-7fee5ea8f000 rw-p 00101000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7fee5ea8f000-7fee5eab1000 r-xp 00000000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7fee5ec9d000-7fee5eca1000 rw-p 00000000 00:00 0
7fee5ecaf000-7fee5ecb0000 rw-p 00000000 00:00 0
7fee5ecb0000-7fee5ecb1000 r--p 00021000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7fee5ecb1000-7fee5ecb2000 rw-p 00022000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7fee5ecb2000-7fee5ecb3000 rw-p 00000000 00:00 0
7ffe6636e000-7ffe6638f000 rw-p 00000000 00:00 0                          [stack]
7ffe663b5000-7ffe663b7000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


--1650961079-eximdsn-826844882--

--1650960838-eximdsn-1466591586
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    root cannot accept local mail deliveries

--1650960838-eximdsn-1466591586
Content-type: message/delivery-status

Reporting-MTA: dns; hosting.websitehere.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1650960838-eximdsn-1466591586
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from root by hosting.websitehere.com with local (Exim 4.95)
    (envelope-from <[email protected]>)
    id 1njGKc-00AexU-KH
    for [email protected];
    Tue, 26 Apr 2022 08:13:58 +0000
To: [email protected]
Subject: lfd on hosting.websitehere.com: Suspicious process running under user nobody
From:  <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 26 Apr 2022 08:13:58 +0000

Time:    Tue Apr 26 08:13:58 2022 +0000
PID:     2495253 (Parent PID:2495247)
Account: nobody
Uptime:  538 seconds


Executable:

/usr/local/lsmcd/bin/lsmcd


Command Line (often faked in exploits):

/usr/local/lsmcd/bin/lsmcd


Network connections by the process (if any):

tcp: 127.0.0.1:11211 -> 127.0.0.1:56182


Files open by the process (if any):

/dev/null
/dev/null
/tmp/lsmcd.log
/tmp/lsmcd.log
/dev/shm/lsmcd/data0.shm
/tmp/lsmcd/lsmcd.pid
/dev/shm/lsmcd/data0.lock
/dev/shm/lsmcd/data1.shm
/dev/shm/lsmcd/data1.lock
/dev/shm/lsmcd/data2.shm
/dev/shm/lsmcd/data2.lock
/dev/shm/lsmcd/data3.shm
/dev/shm/lsmcd/data3.lock
/dev/shm/lsmcd/data4.shm
/dev/shm/lsmcd/data4.lock
/dev/shm/lsmcd/data5.shm
/dev/shm/lsmcd/data5.lock
/dev/shm/lsmcd/data6.shm
/dev/shm/lsmcd/data6.lock
/dev/shm/lsmcd/data7.shm
/dev/shm/lsmcd/data7.lock
anon_inode:[eventpoll]


Memory maps by the process (if any):

00400000-0049e000 r-xp 00000000 fd:01 17858883                           /usr/local/lsmcd/bin/lsmcd
0069d000-0069e000 r--p 0009d000 fd:01 17858883                           /usr/local/lsmcd/bin/lsmcd
0069e000-0069f000 rw-p 0009e000 fd:01 17858883                           /usr/local/lsmcd/bin/lsmcd
0069f000-006a1000 rw-p 00000000 00:00 0
02144000-02165000 rw-p 00000000 00:00 0                                  [heap]
02165000-02219000 rw-p 00000000 00:00 0                                  [heap]
7f2100600000-7f210091c000 rw-s 00a00000 00:12 214632999                  /dev/shm/lsmcd/data7.shm
7f210091c000-7f2100b00000 ---s 0031c000 00:04 214633003                  /dev/zero (deleted)
7f2100b00000-7f2101300000 rw-s 00200000 00:12 214632999                  /dev/shm/lsmcd/data7.shm
7f2101300000-7f2101500000 rw-s 00000000 00:12 214632999                  /dev/shm/lsmcd/data7.shm
7f2101500000-7f210183c000 rw-s 00a00000 00:12 214632994                  /dev/shm/lsmcd/data6.shm
7f210183c000-7f2101a00000 ---s 0033c000 00:04 214632998                  /dev/zero (deleted)
7f2101a00000-7f2102200000 rw-s 00200000 00:12 214632994                  /dev/shm/lsmcd/data6.shm
7f2102200000-7f2102400000 rw-s 00000000 00:12 214632994                  /dev/shm/lsmcd/data6.shm
7f2102400000-7f210271c000 rw-s 00a00000 00:12 214632989                  /dev/shm/lsmcd/data5.shm
7f210271c000-7f2102900000 ---s 0031c000 00:04 214632993                  /dev/zero (deleted)
7f2102900000-7f2103100000 rw-s 00200000 00:12 214632989                  /dev/shm/lsmcd/data5.shm
7f2103100000-7f2103300000 rw-s 00000000 00:12 214632989                  /dev/shm/lsmcd/data5.shm
7f2103300000-7f210361c000 rw-s 00a00000 00:12 214632984                  /dev/shm/lsmcd/data4.shm
7f210361c000-7f2103800000 ---s 0031c000 00:04 214632988                  /dev/zero (deleted)
7f2103800000-7f2104000000 rw-s 00200000 00:12 214632984                  /dev/shm/lsmcd/data4.shm
7f2104000000-7f2104200000 rw-s 00000000 00:12 214632984                  /dev/shm/lsmcd/data4.shm
7f2104200000-7f210451c000 rw-s 00a00000 00:12 214632979                  /dev/shm/lsmcd/data3.shm
7f210451c000-7f2104700000 ---s 0031c000 00:04 214632983                  /dev/zero (deleted)
7f2104700000-7f2104f00000 rw-s 00200000 00:12 214632979                  /dev/shm/lsmcd/data3.shm
7f2104f00000-7f2105100000 rw-s 00000000 00:12 214632979                  /dev/shm/lsmcd/data3.shm
7f2105100000-7f210541c000 rw-s 00a00000 00:12 214624666                  /dev/shm/lsmcd/data2.shm
7f210541c000-7f2105600000 ---s 0031c000 00:04 214624670                  /dev/zero (deleted)
7f2105600000-7f2105e00000 rw-s 00200000 00:12 214624666                  /dev/shm/lsmcd/data2.shm
7f2105e00000-7f2106000000 rw-s 00000000 00:12 214624666                  /dev/shm/lsmcd/data2.shm
7f2106000000-7f210631c000 rw-s 00a00000 00:12 214624661                  /dev/shm/lsmcd/data1.shm
7f210631c000-7f2106500000 ---s 0031c000 00:04 214624665                  /dev/zero (deleted)
7f2106500000-7f2106d00000 rw-s 00200000 00:12 214624661                  /dev/shm/lsmcd/data1.shm
7f2106d00000-7f2106f00000 rw-s 00000000 00:12 214624661                  /dev/shm/lsmcd/data1.shm
7f2106f00000-7f2107400000 rw-s 00900000 00:12 214624656                  /dev/shm/lsmcd/data0.shm
7f2107400000-7f2107c00000 rw-s 00100000 00:12 214624656                  /dev/shm/lsmcd/data0.shm
7f2107c00000-7f2107d00000 rw-s 00000000 00:12 214624656                  /dev/shm/lsmcd/data0.shm
7f2107d9f000-7f2107dff000 r-xp 00000000 fd:01 109054                     /usr/lib64/libpcre.so.1.2.0
7f2107dff000-7f2107fff000 ---p 00060000 fd:01 109054                     /usr/lib64/libpcre.so.1.2.0
7f2107fff000-7f2108000000 r--p 00060000 fd:01 109054                     /usr/lib64/libpcre.so.1.2.0
7f2108000000-7f2108001000 rw-p 00061000 fd:01 109054                     /usr/lib64/libpcre.so.1.2.0
7f2108001000-7f2108025000 r-xp 00000000 fd:01 149552                     /usr/lib64/libselinux.so.1
7f2108025000-7f2108224000 ---p 00024000 fd:01 149552                     /usr/lib64/libselinux.so.1
7f2108224000-7f2108225000 r--p 00023000 fd:01 149552                     /usr/lib64/libselinux.so.1
7f2108225000-7f2108226000 rw-p 00024000 fd:01 149552                     /usr/lib64/libselinux.so.1
7f2108226000-7f2108228000 rw-p 00000000 00:00 0
7f2108228000-7f210822b000 r-xp 00000000 fd:01 109052                     /usr/lib64/libkeyutils.so.1.5
7f210822b000-7f210842a000 ---p 00003000 fd:01 109052                     /usr/lib64/libkeyutils.so.1.5
7f210842a000-7f210842b000 r--p 00002000 fd:01 109052                     /usr/lib64/libkeyutils.so.1.5
7f210842b000-7f210842c000 rw-p 00003000 fd:01 109052                     /usr/lib64/libkeyutils.so.1.5
7f210842c000-7f210843a000 r-xp 00000000 fd:01 1429613                    /usr/lib64/libkrb5support.so.0.1
7f210843a000-7f210863a000 ---p 0000e000 fd:01 1429613                    /usr/lib64/libkrb5support.so.0.1
7f210863a000-7f210863b000 r--p 0000e000 fd:01 1429613                    /usr/lib64/libkrb5support.so.0.1
7f210863b000-7f210863c000 rw-p 0000f000 fd:01 1429613                    /usr/lib64/libkrb5support.so.0.1
7f210863c000-7f2108652000 r-xp 00000000 fd:01 1848296                    /usr/lib64/libresolv-2.17.so
7f2108652000-7f2108852000 ---p 00016000 fd:01 1848296                    /usr/lib64/libresolv-2.17.so
7f2108852000-7f2108853000 r--p 00016000 fd:01 1848296                    /usr/lib64/libresolv-2.17.so
7f2108853000-7f2108854000 rw-p 00017000 fd:01 1848296                    /usr/lib64/libresolv-2.17.so
7f2108854000-7f2108856000 rw-p 00000000 00:00 0
7f2108856000-7f2108887000 r-xp 00000000 fd:01 1362071                    /usr/lib64/libk5crypto.so.3.1
7f2108887000-7f2108a86000 ---p 00031000 fd:01 1362071                    /usr/lib64/libk5crypto.so.3.1
7f2108a86000-7f2108a88000 r--p 00030000 fd:01 1362071                    /usr/lib64/libk5crypto.so.3.1
7f2108a88000-7f2108a89000 rw-p 00032000 fd:01 1362071                    /usr/lib64/libk5crypto.so.3.1
7f2108a89000-7f2108a8c000 r-xp 00000000 fd:01 149554                     /usr/lib64/libcom_err.so.2.1
7f2108a8c000-7f2108c8b000 ---p 00003000 fd:01 149554                     /usr/lib64/libcom_err.so.2.1
7f2108c8b000-7f2108c8c000 r--p 00002000 fd:01 149554                     /usr/lib64/libcom_err.so.2.1
7f2108c8c000-7f2108c8d000 rw-p 00003000 fd:01 149554                     /usr/lib64/libcom_err.so.2.1
7f2108c8d000-7f2108d66000 r-xp 00000000 fd:01 109232                     /usr/lib64/libkrb5.so.3.3
7f2108d66000-7f2108f65000 ---p 000d9000 fd:01 109232                     /usr/lib64/libkrb5.so.3.3
7f2108f65000-7f2108f73000 r--p 000d8000 fd:01 109232                     /usr/lib64/libkrb5.so.3.3
7f2108f73000-7f2108f76000 rw-p 000e6000 fd:01 109232                     /usr/lib64/libkrb5.so.3.3
7f2108f76000-7f2108fc0000 r-xp 00000000 fd:01 109208                     /usr/lib64/libgssapi_krb5.so.2.2
7f2108fc0000-7f21091c0000 ---p 0004a000 fd:01 109208                     /usr/lib64/libgssapi_krb5.so.2.2
7f21091c0000-7f21091c1000 r--p 0004a000 fd:01 109208                     /usr/lib64/libgssapi_krb5.so.2.2
7f21091c1000-7f21091c3000 rw-p 0004b000 fd:01 109208                     /usr/lib64/libgssapi_krb5.so.2.2
7f21091c3000-7f21091c5000 r-xp 00000000 fd:01 134058                     /usr/lib64/libfreebl3.so
7f21091c5000-7f21093c4000 ---p 00002000 fd:01 134058                     /usr/lib64/libfreebl3.so
7f21093c4000-7f21093c5000 r--p 00001000 fd:01 134058                     /usr/lib64/libfreebl3.so
7f21093c5000-7f21093c6000 rw-p 00002000 fd:01 134058                     /usr/lib64/libfreebl3.so
7f21093c6000-7f210958a000 r-xp 00000000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7f210958a000-7f2109789000 ---p 001c4000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7f2109789000-7f210978d000 r--p 001c3000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7f210978d000-7f210978f000 rw-p 001c7000 fd:01 1809537                    /usr/lib64/libc-2.17.so
7f210978f000-7f2109794000 rw-p 00000000 00:00 0
7f2109794000-7f21097a9000 r-xp 00000000 fd:01 404051                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f21097a9000-7f21099a8000 ---p 00015000 fd:01 404051                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f21099a8000-7f21099a9000 r--p 00014000 fd:01 404051                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f21099a9000-7f21099aa000 rw-p 00015000 fd:01 404051                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f21099aa000-7f2109aab000 r-xp 00000000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7f2109aab000-7f2109caa000 ---p 00101000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7f2109caa000-7f2109cab000 r--p 00100000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7f2109cab000-7f2109cac000 rw-p 00101000 fd:01 1809545                    /usr/lib64/libm-2.17.so
7f2109cac000-7f2109d95000 r-xp 00000000 fd:01 958170                     /usr/lib64/libstdc++.so.6.0.19
7f2109d95000-7f2109f95000 ---p 000e9000 fd:01 958170                     /usr/lib64/libstdc++.so.6.0.19
7f2109f95000-7f2109f9d000 r--p 000e9000 fd:01 958170                     /usr/lib64/libstdc++.so.6.0.19
7f2109f9d000-7f2109f9f000 rw-p 000f1000 fd:01 958170                     /usr/lib64/libstdc++.so.6.0.19
7f2109f9f000-7f2109fb4000 rw-p 00000000 00:00 0
7f2109fb4000-7f2109fd0000 r-xp 00000000 fd:01 118166                     /usr/lib64/libsasl2.so.3.0.0
7f2109fd0000-7f210a1cf000 ---p 0001c000 fd:01 118166                     /usr/lib64/libsasl2.so.3.0.0
7f210a1cf000-7f210a1d0000 r--p 0001b000 fd:01 118166                     /usr/lib64/libsasl2.so.3.0.0
7f210a1d0000-7f210a1d1000 rw-p 0001c000 fd:01 118166                     /usr/lib64/libsasl2.so.3.0.0
7f210a1d1000-7f210a1e6000 r-xp 00000000 fd:01 332378                     /usr/lib64/libz.so.1.2.7
7f210a1e6000-7f210a3e5000 ---p 00015000 fd:01 332378                     /usr/lib64/libz.so.1.2.7
7f210a3e5000-7f210a3e6000 r--p 00014000 fd:01 332378                     /usr/lib64/libz.so.1.2.7
7f210a3e6000-7f210a3e7000 rw-p 00015000 fd:01 332378                     /usr/lib64/libz.so.1.2.7
7f210a3e7000-7f210a61e000 r-xp 00000000 fd:01 259954                     /usr/lib64/libcrypto.so.1.0.2k
7f210a61e000-7f210a81d000 ---p 00237000 fd:01 259954                     /usr/lib64/libcrypto.so.1.0.2k
7f210a81d000-7f210a839000 r--p 00236000 fd:01 259954                     /usr/lib64/libcrypto.so.1.0.2k
7f210a839000-7f210a846000 rw-p 00252000 fd:01 259954                     /usr/lib64/libcrypto.so.1.0.2k
7f210a846000-7f210a84a000 rw-p 00000000 00:00 0
7f210a84a000-7f210a8b1000 r-xp 00000000 fd:01 299876                     /usr/lib64/libssl.so.1.0.2k
7f210a8b1000-7f210aab1000 ---p 00067000 fd:01 299876                     /usr/lib64/libssl.so.1.0.2k
7f210aab1000-7f210aab5000 r--p 00067000 fd:01 299876                     /usr/lib64/libssl.so.1.0.2k
7f210aab5000-7f210aabc000 rw-p 0006b000 fd:01 299876                     /usr/lib64/libssl.so.1.0.2k
7f210aabc000-7f210aac4000 r-xp 00000000 fd:01 1809541                    /usr/lib64/libcrypt-2.17.so
7f210aac4000-7f210acc3000 ---p 00008000 fd:01 1809541                    /usr/lib64/libcrypt-2.17.so
7f210acc3000-7f210acc4000 r--p 00007000 fd:01 1809541                    /usr/lib64/libcrypt-2.17.so
7f210acc4000-7f210acc5000 rw-p 00008000 fd:01 1809541                    /usr/lib64/libcrypt-2.17.so
7f210acc5000-7f210acf3000 rw-p 00000000 00:00 0
7f210acf3000-7f210acfa000 r-xp 00000000 fd:01 2110793                    /usr/lib64/librt-2.17.so
7f210acfa000-7f210aef9000 ---p 00007000 fd:01 2110793                    /usr/lib64/librt-2.17.so
7f210aef9000-7f210aefa000 r--p 00006000 fd:01 2110793                    /usr/lib64/librt-2.17.so
7f210aefa000-7f210aefb000 rw-p 00007000 fd:01 2110793                    /usr/lib64/librt-2.17.so
7f210aefb000-7f210aefd000 r-xp 00000000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7f210aefd000-7f210b0fd000 ---p 00002000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7f210b0fd000-7f210b0fe000 r--p 00002000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7f210b0fe000-7f210b0ff000 rw-p 00003000 fd:01 1809543                    /usr/lib64/libdl-2.17.so
7f210b0ff000-7f210b116000 r-xp 00000000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7f210b116000-7f210b315000 ---p 00017000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7f210b315000-7f210b316000 r--p 00016000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7f210b316000-7f210b317000 rw-p 00017000 fd:01 1848292                    /usr/lib64/libpthread-2.17.so
7f210b317000-7f210b31b000 rw-p 00000000 00:00 0
7f210b31b000-7f210b343000 r-xp 00000000 fd:01 109246                     /usr/lib64/libexpat.so.1.6.0
7f210b343000-7f210b542000 ---p 00028000 fd:01 109246                     /usr/lib64/libexpat.so.1.6.0
7f210b542000-7f210b544000 r--p 00027000 fd:01 109246                     /usr/lib64/libexpat.so.1.6.0
7f210b544000-7f210b545000 rw-p 00029000 fd:01 109246                     /usr/lib64/libexpat.so.1.6.0
7f210b545000-7f210b567000 r-xp 00000000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7f210b6de000-7f210b6e0000 rw-s 00000000 00:12 214633000                  /dev/shm/lsmcd/data7.lock
7f210b6e0000-7f210b6e2000 rw-s 00000000 00:12 214632995                  /dev/shm/lsmcd/data6.lock
7f210b6e2000-7f210b6e4000 rw-s 00000000 00:12 214632990                  /dev/shm/lsmcd/data5.lock
7f210b6e4000-7f210b6e6000 rw-s 00000000 00:12 214632985                  /dev/shm/lsmcd/data4.lock
7f210b6e6000-7f210b6e8000 rw-s 00000000 00:12 214632980                  /dev/shm/lsmcd/data3.lock
7f210b6e8000-7f210b6ea000 rw-s 00000000 00:12 214624667                  /dev/shm/lsmcd/data2.lock
7f210b6ea000-7f210b6ec000 rw-s 00000000 00:12 214624662                  /dev/shm/lsmcd/data1.lock
7f210b6ec000-7f210b6ee000 rw-s 00000000 00:12 214624657                  /dev/shm/lsmcd/data0.lock
7f210b6ee000-7f210b723000 r--s 00000000 fd:01 37754357                   /var/db/nscd/group
7f210b723000-7f210b758000 r--s 00000000 fd:01 37754356                   /var/db/nscd/passwd
7f210b758000-7f210b766000 rw-p 00000000 00:00 0
7f210b766000-7f210b767000 r--p 00021000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7f210b767000-7f210b768000 rw-p 00022000 fd:01 1809532                    /usr/lib64/ld-2.17.so
7f210b768000-7f210b769000 rw-p 00000000 00:00 0
7fff17e90000-7fff17eb1000 rw-p 00000000 00:00 0                          [stack]
7fff17eb6000-7fff17eb8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


--1650960838-eximdsn-1466591586--

If I go and look at the "EximStats" page in WHM and look at "Top 50 local senders by volume" or count or, it shows the top 2 are root (1254 emails) and mailnull (1252 emails) and I can't figure out why this is so high/why so many are trying to be sent.

I'd greatly appreciate some advice/help with this.

Thanks!

 

[Spirogg]

As the title suggests, the WHM "Mail Queue Manager" is full of emails that are "Frozen" because it's attempting to send to [email protected] even though my email address is set within "Basic WebHost Manager® Setup".

https://support.cpanel.net/hc/en-us/articles/360054063834-root-hostname-is-undeliverable-root-cannot-accept-local-mail-deliveries

you need to forward root to a gmail or any email for your [email protected]

in WHM > Home » Server Contacts » Edit System Mail Preferences

you should add your email in this section for notifications cpanel and bottom one root

Home » Server Contacts » Edit System Mail Preferences


add your email here so you can get server notifications.

Forward mail for “cpanel” to:

[email protected] or similar email address
To forward email to one or more users on the server, or email addresses, enter them in a comma-separated list.

and another one at the bottom

Forward mail for “root” to:

[email protected] or similar email address
To forward email to one or more users on the server, or email addresses, enter them in a comma-separated list.

 

[RyanR]

https://support.cpanel.net/hc/en-us/articles/360054063834-root-hostname-is-undeliverable-root-cannot-accept-local-mail-deliveries

you need to forward root to a gmail or any email for your [email protected]

Thanks, the big question after that is... why are there so many emails and how can I work out how to resolve them?

For example, how can I whitelist redis, lsmcd,mariadb so none of them get flagged as a suspicious process

 

[Spirogg]

Thanks, the big question after that is... why are there so many emails and how can I work out how to resolve them?

so all those emails are notifications ( example configserver CSF) sends notifications to root and so does whm apache services go down etc. etc etc
so since you did not have that filled in with a forwarding email you got all those emails stuck. now when you update most of those still pending will go to your new email you used in the forward section.

if you used gmail for the forward email. make sure to check your spam folder and mark those emails as not spam. its a pain but then you won;t get marked as spam from gmail on all those emails

it should just clear all the pending ones.
the Frozen ones you can try sending them cant remember if it says unfreeze or retry

 

[Spirogg]

whitelist redis, lsmcd,mariadb so none of them get flagged as a suspicious process

if you look at the emails for those you can see
example:

Date: Tue, 26 Apr 2022 08:17:59 +0000

Time: Tue Apr 26 08:17:59 2022 +0000
PID: 2327 (Parent PID:2327)
Account: redis
Uptime: 838791 seconds


Executable:

/usr/bin/redis-server


Command Line (often faked in exploits):

/usr/bin/redis-server 127.0.0.1:6379



so you can copy the Executable line: /usr/bin/redis-server
and go to CSF
Edit /etc/csf/csf.pignore
and add it under another exe:

here is an example in CSF csf.pignore

exe:/usr/sbin/sw-engine-fpm
exe:/usr/sbin/sw-cp-serverd
exe:/sbin/rngd
exe:/usr/sbin/mariadbd
exe:/usr/sbin/atd
exe:/usr/lib/systemd/systemd-timesyncd
exe:/usr/lib/systemd/systemd-networkd
exe:/usr/sbin/rsyslogd
exe:/usr/lib/apt/methods/http
exe:/usr/sbin/rngd
exe:/usr/lib/systemd/systemd-resolved
exe:/usr/sbin/uuidd
so this was the last exe:
so you add the same
exe:/usr/bin/redis-server
then save the file.

there is also a dropdown in the GUI of CSF in WHM where you setup CSF
look under lfd - Login Failure Daemon

>> Edit lfd ignore file



so all those you mentioned you can have CSF LFD ignore sending you the email notification by adding the exe:/usr/bin whatever
it will tell you what the executable path is
and just add that and save.
hope this helps

 

[Spirogg]

Thanks, the big question after that is... why are there so many emails and how can I work out how to resolve them?

Unfreeze or force send.
the magnify glass you can read the emails. and you can just select all of them and delete them or send them.
i would read the emails from there and see if you see anything funny or huge error. and them just delete them. if there is any issues you will get notification again via your forwarding email you used so you don't get stuck as a spammer on your email you used if you have a lot of them that are frozen,





I do not know how many you have but if its a huge amount I would not send them it can cause you troubles with your email account and mark your server as a spam server.

Gmail is funny like that. that is why I said to check your spam folder also (Gmail or outlook or any email) so you can mark them as not spam. and then you should be able to get notifications to your inbox.)

also make sure your domain has a SSL certificate and all your SPF DKIM etc pass the test and your hostname also has an SSL Certificate as well. so you can send emails from server.

if you go to cpanel
under email and check Email deliverability for your domains






it will tell you fi you have any issues and to the right the links will explain what each does and means

ok Ill leave you be. just thought I would add this here if you already knew this someone else might find it useful

Kind Regards,
Spiro

 

[RyanR]

Snip

Thanks for those great replies!

There were 2,000 emails queued up so I deleted them all instead. I setup some LFD ignores but even 12+ hours later I am receiving emails though I think these are new emails rather than queued up ones...

I can confirm that DKIM & SPF & DMARC are all setup and correct, no issues with that.


I added the following rules to csf.pignore but they don't appear to be helping even after restarting both CSF and even the entire server.

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* # LiteSpeed
pexe:/usr/local/lsws/bin/lshttpd.* # LiteSpeed
exe:/usr/local/lsmcd/bin/lsmcd # LiteSpeed

exe:/usr/bin/redis-server # Redis
exe:/usr/bin/node # Redis
cmd:/usr/bin/redis-server 127.0.0.1:6379 # Redis

exe:/opt/digitalocean/bin/do-agent # DigitalOcean

cmd:lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp # LiteSpeed Extra
pexe:^/usr/local/lsws/bin/lshttpd.* # LiteSpeed Extra
pexe:^/opt/alt/php.*/usr/bin/lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp\.cagefs # LiteSpeed Extra

I have the following lfd warnings that I feel are all false positives...


Suspicious process running under user nobody

Executable: /usr/local/lsmcd/bin/lsmcd
Command Line (often faked in exploits): /usr/local/lsmcd/bin/lsmcd

Suspicious process running under user nobody

Executable: /usr/local/lsws/bin/lshttpd.6.0.11
Command Line (often faked in exploits): litespeed (lshttpd - #01)

Suspicious File Alert

File: /tmp/lsmcd/core.873669
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

Excessive resource usage: customwheelaccount

Exceeded: 60647 > 3600 (seconds)

Executable: /usr/bin/bash
Command Line: -bash

Excessive resource usage: do-agent

Exceeded: 906203 > 3600 (seconds)

Executable: /opt/digitalocean/bin/do-agent
Command Line: /opt/digitalocean/bin/do-agent --syslog

Excessive resource usage: mysql

Exceeded: 906203 > 3600 (seconds)

Executable: /usr/sbin/mariadbd
Command Line: /usr/sbin/mariadbd

Suspicious process running under user redis

Executable: /usr/bin/redis-server
Command Line (often faked in exploits): /usr/bin/redis-server 127.0.0.1:6379

Excessive resource usage: redis

Exceeded: 909835 > 3600 (seconds)

Executable: /usr/bin/redis-server
Command Line: /usr/bin/redis-server 127.0.0.1:6379

 

[Spirogg]

Thanks for those great replies!

There were 2,000 emails queued up so I deleted them all instead. I setup some LFD ignores but even 12+ hours later I am receiving emails though I think these are new emails rather than queued up ones...

I can confirm that DKIM & SPF & DMARC are all setup and correct, no issues with that.


I added the following rules to csf.pignore but they don't appear to be helping even after restarting both CSF and even the entire server.

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* # LiteSpeed
pexe:/usr/local/lsws/bin/lshttpd.* # LiteSpeed
exe:/usr/local/lsmcd/bin/lsmcd # LiteSpeed

exe:/usr/bin/redis-server # Redis
exe:/usr/bin/node # Redis
cmd:/usr/bin/redis-server 127.0.0.1:6379 # Redis

exe:/opt/digitalocean/bin/do-agent # DigitalOcean

cmd:lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp # LiteSpeed Extra
pexe:^/usr/local/lsws/bin/lshttpd.* # LiteSpeed Extra
pexe:^/opt/alt/php.*/usr/bin/lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp\.cagefs # LiteSpeed Extra

I have the following lfd warnings that I feel are all false positives...


Suspicious process running under user nobody



Suspicious process running under user nobody



Suspicious File Alert



Excessive resource usage: customwheelaccount



Excessive resource usage: do-agent



Excessive resource usage: mysql



Suspicious process running under user redis


Excessive resource usage: redis

@cPRex do you see anything wrong with this if you can give us some input please

thanks
SPIRO

 

[cPRex]

I try not to comment on CSF stuff too much. If the ignore rules aren't working as intended it would be best to reach out to their support directly.