Portal Home > Knowledgebase > Articles Database > email Scripts alert for wheel users
email Scripts alert for wheel users
Posted by martin33, 03-14-2012, 03:20 AM |
Hi,
On all our servers where we are using a wheel user to ssh, after we disallowed the root ssh login, we are receiving about 100 and more of theses emails from config server firewall (csf) :
Time: Wed Mar 14 03:10:15 2012 -0400
Path: /home/wheeluser
Count: 101 emails sent Sample of the first 10 emails:
2012-03-14 03:00:13 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:19 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:24 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:31 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:37 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:43 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:49 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:55 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
2012-03-14 03:00:56 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2012-03-14 03:01:07 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc
Possible Scripts:
___
The most strange is some of theses emails show the emails sent by other users on the server...
...like this :
2012-03-14 01:00:04 cwd=/var/spool/cron 6 args: /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
2012-03-14 01:00:12 1S7gJg-0002D2-Ff => contact@emaildomain.com R=lookuphost T=remote_smtp H=domain.com [184.000.000.000] X=TLSv1:AES256-SHA:256
What this means exactly?
The wheel users are not hosting accounts... theses are simply users allowed to ssh, and sudo.
The system is a cPanel server, with centos 6.
Thanks in advance for your assistance on this!
|
Posted by brianoz, 03-14-2012, 05:46 PM |
exim -bpc displays the count of queued emails.
I'd say a cron job is running this command.
|
Posted by martin33, 03-22-2012, 03:05 PM |
Hi,
I verified and i cannot find the cron job in question. Where is it supposed to be exactly? I cannot find it in crontab -e
Since i have the same problem on every cPanel servers with a wheel user, i am pretty sure other peoples are receiving similar emails.
Thanks in advance to bring assistance on this!
|
Add to Favourites Print this Article
Also Read
Good UK Host (Views: 594)