Hello,
I'm having a weird issue and wondering if my system is compromised somehow. I'm on Cloudlinux 6, migrated over recently due to CentOS 6 being EOL. I also have KernelCare. I get that it's long in the tooth, but the promise of Cloudlinux was to delay having to deploy a new server by a few years.
Things had been running normally, then I get a ticket about a user that can't send e-mail. Check it out, they've hit their limit. SMTP log seems to have no record of these e-mails. Last time I had an issue like this it was sendmail being compromised. I disabled the sendmail script, and removed the web form from their webpage.
Thought that fixed it. Now today, another customer has the same issue. No record in the SMTP log aside from a few that they did actually send. I did the same and disabled it on their website too and changed permissions on the sendmail php file. But two other customers including the one that was fixed previously hit their limit again. I am now confused, three different customers, two with disabled sendmail scripts and one that didn't have one at all. But they are all hitting their limit and none had sent more than a few e-mails themselves. Even the warning message is show their own IP as the last IP that sent a message.
I did notice a strange issue when I got a notify from System Integrity Monitor about files not matching their md5, but didn't recall doing any updates myself. Now I also get notified immediately if root logs in and the login history seems fine and I had no surprise login notifications. All the IPs seem normal and known to us. I figured something was running an update and thought nothing more of it after a quick check.
But this e-mail send limit thing has me worried. I am using Comodo WAF and ConfigServer Security & Firewall along with Login Failure Daemon and System Integrity Monitor. What on earth could be going on?
I'm having a weird issue and wondering if my system is compromised somehow. I'm on Cloudlinux 6, migrated over recently due to CentOS 6 being EOL. I also have KernelCare. I get that it's long in the tooth, but the promise of Cloudlinux was to delay having to deploy a new server by a few years.
Things had been running normally, then I get a ticket about a user that can't send e-mail. Check it out, they've hit their limit. SMTP log seems to have no record of these e-mails. Last time I had an issue like this it was sendmail being compromised. I disabled the sendmail script, and removed the web form from their webpage.
Thought that fixed it. Now today, another customer has the same issue. No record in the SMTP log aside from a few that they did actually send. I did the same and disabled it on their website too and changed permissions on the sendmail php file. But two other customers including the one that was fixed previously hit their limit again. I am now confused, three different customers, two with disabled sendmail scripts and one that didn't have one at all. But they are all hitting their limit and none had sent more than a few e-mails themselves. Even the warning message is show their own IP as the last IP that sent a message.
I did notice a strange issue when I got a notify from System Integrity Monitor about files not matching their md5, but didn't recall doing any updates myself. Now I also get notified immediately if root logs in and the login history seems fine and I had no surprise login notifications. All the IPs seem normal and known to us. I figured something was running an update and thought nothing more of it after a quick check.
But this e-mail send limit thing has me worried. I am using Comodo WAF and ConfigServer Security & Firewall along with Login Failure Daemon and System Integrity Monitor. What on earth could be going on?
| Apache 2.4.51 | Running |
| DirectAdmin 1.63.7 | Running |
| Exim 4.95 | Running |
| MySQL 5.7.37 | Running |
| Named 9.8.2rc1 | Running |
| sshd | Running |
| dovecot 2.3.18 (9dd8408c18) | Running |
| pure-ftpd 1.0.49 | Running |
| Php 7.4.28 | Installed |
| clamd | clamd (pid 8800 ) | 1.17 GB | | | | |
| da-popb4smtp | da-popb4smtp (pid 114742 ) | 0.832 MB | | | | |
| dovecot | dovecot (pid 107491 ) | 176.3 MB | | | | |
| exim | exim (pid 113411 ) | 5.56 MB | | | | |
| freshclam | freshclam (pid 8821 ) | 2.16 MB | | | | |
| httpd | httpd (pid 174684 ) | 121.0 MB | | | | |
| lfd | lfd (pid 172890 ) | 24.9 MB | | | | |
| mysqld | mysqld (pid 9084 ) | 455.1 MB | | | | |
| named | named (pid 130928 ) | 21.5 MB | | | | |
| pure-ftpd | pure-ftpd (pid 9524 ) | 2.04 MB | | | | |
| sshd | sshd (pid 130043 323675 323759 325848 326676 ) | 13.1 MB |
