Knowledgebase

Portal Home > Knowledgebase > Articles Database > email Scripts alert for wheel users


email Scripts alert for wheel users




Posted by martin33, 03-14-2012, 03:20 AM
Hi, On all our servers where we are using a wheel user to ssh, after we disallowed the root ssh login, we are receiving about 100 and more of theses emails from config server firewall (csf) : Time: Wed Mar 14 03:10:15 2012 -0400 Path: /home/wheeluser Count: 101 emails sent Sample of the first 10 emails: 2012-03-14 03:00:13 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:19 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:24 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:31 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:37 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:43 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:49 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:55 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc 2012-03-14 03:00:56 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q 2012-03-14 03:01:07 cwd=/home/wheeluser 2 args: /usr/sbin/exim -bpc Possible Scripts: ___ The most strange is some of theses emails show the emails sent by other users on the server... ...like this : 2012-03-14 01:00:04 cwd=/var/spool/cron 6 args: /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t 2012-03-14 01:00:12 1S7gJg-0002D2-Ff => contact@emaildomain.com R=lookuphost T=remote_smtp H=domain.com [184.000.000.000] X=TLSv1:AES256-SHA:256 What this means exactly? The wheel users are not hosting accounts... theses are simply users allowed to ssh, and sudo. The system is a cPanel server, with centos 6. Thanks in advance for your assistance on this!
Posted by brianoz, 03-14-2012, 05:46 PM
exim -bpc displays the count of queued emails. I'd say a cron job is running this command.
Posted by martin33, 03-22-2012, 03:05 PM
Hi, I verified and i cannot find the cron job in question. Where is it supposed to be exactly? I cannot find it in crontab -e Since i have the same problem on every cPanel servers with a wheel user, i am pretty sure other peoples are receiving similar emails. Thanks in advance to bring assistance on this!


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Check my mysql config - optimise or upgrade? (Views: 600)
WHR Enom Domain Name Reseller accounts? (Views: 595)
cPanel webmail login using cURL (Views: 602)
Good UK Host (Views: 594)
Installing Email Certificate on Windows Mobile 6 (Views: 577)