Exim, blank cwd parameter

pjabol

• March 04, 2016 07:03

hi Everyone, I have a problem with exim log. from time to time I have a spam script from my clients account. Till now I was searching of script file by cwd line in exim_mainlog, but now suddenly cwd parameter id always
cwd=/
no matter from what account I send or script. I also tried to use SMTP_BLOCK and FKA SMTP Tweak but that did not solve spam problem. also when i turned on FKA SMTP Tweak i got a notice when csf was restarting: WARNING* The option "WHM > Security Center > SMTP Restrictions" is incompatible with this firewall. The option must be disabled in WHM and the SMTP_BLOCK alternative in csf used instead
Lower is example of cwd=/ first od normal email send, second of spam mail
016-03-04 13:07:15 [28431] 1aboVn-0007OZ-Cy <= me@server.com H=xxx.xxx.xxx.xxx [IP]:59612 I=[IP]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no SNI="server.com" A=dovecot_plain:me@server.com S=622 M8S=0 id=7319EEC4-32F2-43FE-A9C2-C0E052C36EE0@server.com T="test" from for me@otherserver.com 2016-03-04 13:07:15 [28436] cwd=/ 3 args: /usr/sbin/exim -Mc 1aboVn-0007OZ-Cy 2016-03-04 13:07:15 [28436] 1aboVn-0007OZ-Cy SMTP connection outbound 1457093235 1aboVn-0007OZ-Cy server.com me@otherserver.com

2016-03-04 13:26:15 [22051] 2016-03-04 13:26:15 [22051] 1abooB-0005jf-LF <= fakename@domain.com U=tanza557 P=local S=1441 M8S=0 id=8a2befb562c19bf95a2918e50da535d7@domain.comT="FastLove Call" from for xxx@gmail.com 2016-03-04 13:26:15 [22056] cwd=/ 3 args: /usr/sbin/exim -Mc 1abooB-0005jf-LF 2016-03-04 13:26:15 [22057] cwd=/ 4 args: /usr/sbin/sendmail -t -i -ffakename@domain.com 2016-03-04 13:26:15 [22056] 1abooB-0005jf-LF SMTP connection outbound 1457094375 1abooB-0005jf-LF domain.com xxx@gmail.com
and the data of mail control (from WHM)
user 533 500 1457086136 0 -ident user -received_protocol local -body_linecount 36 -max_received_linelength 104 -auth_id tanza557 -auth_sender user@server.com -allow_unqualified_recipient -allow_unqualified_sender -local -sender_set_untrusted XX 1 xxx@aol.com
Does any one have any idea why CWD has become only a / instead of a full path? Oh, the serve is on [LIST]

CENTOS 6.7 x86_64 kvm

WHM 54.0 (build 18) Thanks for help.

• 

  Jcats

  • March 04, 2016 22:49

  +1 I am having the same issue, I think this started occurring since cPanel Security Team: exim CVE-2016-1531 All I am seeing is cwd=/

  0
• 

  nickl_sa

  • March 05, 2016 12:57

  Hi there Now and again I SSH into my server to check if any spam scripts are running using the following code -
  grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
  Today a got a report as follows -
  6 /home/graphicm/public_html 6 /home/kellydan/public_html 6 /root 8 /home/infracom 10 /home/sardinia/public_html 13 /home/bruniquelco/public_html 16 /home/slenderw/public_html 17 /home/pro3agen/public_html 18 30 /home/hoorawhi/public_html 33 /home/stylemec 38 /home/wbgroupc 170 /home/propergr 31309 /
  What does the 31309 (and climbing) messages in the / directory mean? There's no spam mails in the outgoing mail queue. How can I check the source of these mails? Thanks Nick

  0
• 

  hoststage

  • March 05, 2016 16:42

  I really want to put it out there that the recent exim update isn't welcome at all : csf no longer processing LF_SCRIPT_ALERT | ConfigServer Services Blog Exim doens't seem to return the proper path when scripts are sending emails. Please do something about that. We were about to invest 2 days ago into some custom script working from this feature. If you could restore it, it would be hugely appreciated.

  0
• 

  hoststage

  • March 05, 2016 16:56

  Noticed the same thing. And latest info, is that an Exim update shall be released soon, it will be fixed. @Jcats it was indeed from Exim CVE-2016-1531

  0
• 

  hoststage

  • March 05, 2016 17:09

  Apparently, update on its way, can't wait for it.

  0
• 

  Jcats

  • March 05, 2016 21:00

  Hope so!

  0
• 

  Jcats

  • March 05, 2016 21:02

  Bug 1805 " Recent Exim CVE mitigation breaks customer ability to determine where mail was sent from.

  0
• 

  Eric

  • March 06, 2016 00:33

  Howdy, I bet this is part of the Exim update. Give us a few days and we have a patch that will fix this. Thanks!

  0
• 

  hoststage

  • March 06, 2016 08:24

  Is it official or a temporary work around until an official update is released ? Did it work properly for you ?

  0
• 

  Jcats

  • March 06, 2016 12:29

  We can't use that patch, its used for when building exim, not after its already installed so just SOL. We've already had 3 servers get black listed, just been tailing mail logs all night.

  0
• 

  rahulkshinde

  • March 07, 2016 04:21

  Exim logs does not shows the detailed logs Steps to reproduce: cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-02'| less above command shows output : 2016-03-02 01:00:02 cwd=/home/##### 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root 2016-03-02 01:06:04 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i 2016-03-02 01:06:10 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i 2016-03-02 01:08:14 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i 2016-03-02 01:08:16 cwd=/home/#####/public_html 3 args: /usr/sbin/sendmail -t -i 2016-03-02 01:10:02 cwd=/home/#####/ 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f ro where as : cat /var/log/exim_mainlog | grep 'cwd=/home' | grep '2016-03-04'| less does not show anything, we have confirmed and stopped the active spamming from this server but still logs did not collect any CWD paths This has been since the Exim CVE-2016-1531 update. Result of this our malware quarantine script stop working as its not getting the path. We have submitted a ticket to Support and they have recognize this as Bug CPANEL-4597.

  0
• 

  Robert Duller

  • March 07, 2016 15:14

  any update on this yet?

  0
• 

  cPanelMichael

  • March 07, 2016 18:49

  Hello :) The lack of a specific current working directory (cwd) entry in /var/log/exim_mainlog stems from the recent Exim security patch:

  0
• 

  cPanelMichael

  • March 08, 2016 17:25

  To update, the resolution is now published to the "Current" and "Release" build tiers as part of cPanel version 54.0.19: Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line. Thank you.

  0
• 

  Jcats

  • March 09, 2016 01:10

  To update, the resolution is now published to the "Current" and "Release" build tiers as part of cPanel version 54.0.19: Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line. Thank you.

  
  Woo hoo! Thank you!

  0
• 

  hoststage

  • March 09, 2016 10:03

  Yeehhaa! Way to go cPanel!

  0
• 

  rahulkshinde

  • March 11, 2016 06:37

  Thanks for the quick resolution on this guys :)

  0

Please sign in to leave a comment.