Mail Queue Administration !*!

Click on one or a few messages to check out what's going on. Could be a cronjob configured without sending output to null, so it sends an e-mail.
 
I'm install in directadmin CSF.
Look at one of the messages that I get:
(The all massages look like this)

E-Mail Headers:
Code: 
1P25Wa-0003Uu-CI-H
root 0 0
<[email protected]>
1286039128 0
-ident root
-received_protocol local
-body_linecount 41
-max_received_linelength 99
-allow_unqualified_recipient
-allow_unqualified_sender
XX
1
[email protected]

206P Received: from root by server.server.hostname.com with local (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1P25Wa-0003Uu-CI
	for [email protected]; Sat, 02 Oct 2010 19:05:28 +0200
011* From: root
009* To: root
033T To: [email protected]
083  Subject: lfd on server.hostname.com: Suspicious process running under user rpc
038F From:  <[email protected]>
056I Message-Id: <[email protected]>
038  Date: Sat, 02 Oct 2010 19:05:28 +0200

E-Mail Body Chunk:
Code: 
1P25Wa-0003Uu-CI-D
Time:    Sat Oct  2 19:05:28 2010 +0200
PID:     2399
Account: rpc
Uptime:  270252 seconds


Executable:

/sbin/portmap


Command Line (often faked in exploits):

portmap


Network connections by the process (if any):

udp: 0.0.0.0:111 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

2b7869d62000-2b7869d6b000 r-xp 00000000 fd:00 109052086                  /sbin/portmap
2b7869f6a000-2b7869f6b000 rw-p 00008000 fd:00 109052086                  /sbin/portmap
2b7869f6b000-2b7869f6c000 rw-p 2b7869f6b000 00:00 0 
2b7869f6c000-2b7869f88000 r-xp 00000000 fd:00 24281090                   /lib64/ld-2.5.so
2b7869f88000-2b7869f89000 rw-p 2b7869f88000 00:00 0 
2b7869f93000-2b7869f94000 rw-p 2b7869f93000 00:00 0 
2b786a187000-2b786a188000 r--p 0001b000 fd:00 24281090                   /lib64/ld-2.5.so
2b786a188000-2b786a189000 rw-p 0001c000 fd:00 24281090                   /lib64/ld-2.5.so
2b786a189000-2b786a19e000 r-xp 00000000 fd:00 24281279                   /lib64/libnsl-2.5.so
2b786a19e000-2b786a39d000 ---p 00015000 fd:00 24281279                   /lib64/libnsl-2.5.so
2b786a39d000-2b786a39e000 r--p 00014000 fd:00 24281279                   /lib64/libnsl-2.5.so
2b786a39e000-2b786a39f000 rw-p 00015000 fd:00 24281279                   /lib64/libnsl-2.5.so
2b786a39f000-2b786a3a1000 rw-p 2b786a39f000 00:00 0 
2b786a3a1000-2b786a4ef000 r-xp 00000000 fd:00 24281097                   /lib64/libc-2.5.so
2b786a4ef000-2b786a6ee000 ---p 0014e000 fd:00 24281097                   /lib64/libc-2.5.so
2b786a6ee000-2b786a6f2000 r--p 0014d000 fd:00 24281097                   /lib64/libc-2.5.so
2b786a6f2000-2b786a6f3000 rw-p 00151000 fd:00 24281097                   /lib64/libc-2.5.so
2b786a6f3000-2b786a6fa000 rw-p 2b786a6f3000 00:00 0 
2b786a6fa000-2b786a704000 r-xp 00000000 fd:00 24281112                   /lib64/libnss_files-2.5.so
2b786a704000-2b786a903000 ---p 0000a000 fd:00 24281112                   /lib64/libnss_files-2.5.so
2b786a903000-2b786a904000 r--p 00009000 fd:00 24281112                   /lib64/libnss_files-2.5.so
2b786a904000-2b786a905000 rw-p 0000a000 fd:00 24281112                   /lib64/libnss_files-2.5.so
2b786f242000-2b786f263000 rw-p 2b786f242000 00:00 0                      [heap]
7fff7cc1a000-7fff7cc2f000 rw-p 7ffffffea000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

Log:
Code: 
2010-10-02 19:05:28 Received from [email protected] U=root P=local S=2938 T="lfd on server.hostname.com: Suspicious process running under user rpc"
2010-10-02 19:05:28 [email protected] R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list

So, how can I fix this?

Thanks!
 
Configure CSF to send mails to a valid e-mail address. Search for LF_ALERT_TO and X_ARF_TO

You can also change other settings so it wont send any e-mails at all, but it's quite handy. I've set up a special mail account for it where I receive all mails from csf.
 
You must log in or register to reply here.
Back
Top