SOLVED: Tracking down rogue email script
Hello. I hope everyone is safe and healthy.
I'm trying to track-down a potential rogue email script on my WHM/cpanel as part of general maintenance.
I used this script to identify what directories are producing email alerts:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
It showed:
2 /rootls
9 /usr/local/cpanel/whostmgr/docroot
1913 /etc/csf
Now, understand this last exim_mainlog has it's first entry on 2023-06-18 and today is 2023-06-24. Although this is several days' worth of logs, my server does not send out that kind of volume. Very low email volume. We see that some script in /etc/csf is generating the high volume.
Here is the interesting part - each uptick in volume corresponds to this exim entry:
023-06-24 08:55:38 SMTP connection from [127.0.0.1]:51912 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2023-06-24 08:55:38 SMTP connection from (localhost) [127.0.0.1]:51912 I=[127.0.0.1]:25 closed by QUIT
2023-06-24 09:00:27 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
Exim -bpc is "print a count of the messages in the queue" but the queue is empty. . .
Viewing the exim logs as the count goes up triggered by exim -bpc does not show any outbound emails. . .
So... anyone have some advice on what may be happening here?
Is this just normal activity of exim tallying the queue?
Should I attempt to rebuild the exim stats database as described here:
-
023-06-24 08:55:38 SMTP connection from [127.0.0.1]:51912 I=[127.0.0.1]:25 (TCP/IP connection count = 1) 2023-06-24 08:55:38 SMTP connection from (localhost) [127.0.0.1]:51912 I=[127.0.0.1]:25 closed by QUIT 2023-06-24 09:00:27 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc Exim -bpc is "print a count of the messages in the queue" but the queue is empty. . .
By default csf/lfd checks the length of the exim queue every 5 minutes. See LF_QUEUE_ALERT & LF_QUEUE_INTERVAL in CSF settings.0 -
Ah ha! That solves it. Thanks so much. Appreciate it! SOLVED 0
Please sign in to leave a comment.
Comments
2 comments