LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-14-2004, 01:29 PM   #1
merlininthewood
LQ Newbie
 
Registered: Oct 2004
Location: Devon, England
Distribution: Ubuntu 10.04, Debian Lenny
Posts: 21

Rep: Reputation: 0
Worrying email message from cron


I have been receiving emails similar to below from my cron daemon on my RH9 web-server (1and1 root server running ensim):

Quote:
--header--
Return-Path: <root@myserverdomain>
Received: from myserverdomain (root@localhost)
by moretonhampstead.net (8.11.6/8.11.6) with ESMTP id i9EHb3917022
for <root@moretonhampstead.net>; Thu, 14 Oct 2004 18:37:03 +0100
Received: (from root@localhost)
by myserverdomain (8.11.6/8.11.6) id i9EHb1t17009
for root; Thu, 14 Oct 2004 18:37:01 +0100
Date: Thu, 14 Oct 2004 18:37:01 +0100
Message-Id: <200410141737.i9EHb1t17009@myserverdomain>
From: root@myserverdomain (Cron Daemon)
To: root@myserverdomain
Subject: Cron <root@myserverdomain> /usr/lib/opcenter/virtualhosting/MailQueueCleaner
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
--/header--
--body--
affinity... Can't create output
<freiejgxozyhji@cheatcity.com>... User unknown
affinity... Can't create output
savemail: cannot save rejected email anywhere
--/body--

So i did a: grep cheatcity /var/log/maillog
and got
Quote:
Oct 14 12:46:03 p15144987 sendmail[14325]: i9EBk2O14325: from=<freiejgxozyhji@cheatcity.com>, size=3845, class=0, nrcpts=1, msgid=<3niu952irt07$wg43ehe93oad61$319tei9hq0@S9863773>, proto=ESMTP, daemon=MTA, relay=mq-1.v3.com [66.179.230.120]
Oct 14 12:46:03 p15144987 sendmail[14330]: i9EBk3L14330: from=<freiejgxozyhji@cheatcity.com>, size=4067, class=0, nrcpts=1, msgid=<3niu952irt07$wg43ehe93oad61$319tei9hq0@S9863773>, proto=ESMTP, relay=root@localhost
Oct 14 12:46:05 p15144987 sendmail[14331]: i9EBk3L14331: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 13:37:03 p15144987 sendmail[14700]: i9ECb1014700: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 14:38:08 p15144987 sendmail[15218]: i9EDb5I15218: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 15:38:05 p15144987 sendmail[15744]: i9EEb1c15744: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 16:38:05 p15144987 sendmail[16254]: i9EFb1O16254: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 17:37:04 p15144987 sendmail[16652]: i9EGb2f16652: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 18:37:03 p15144987 sendmail[17006]: i9EHb1Y17006: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
I dont know much about the mail system!!
Is this someone using my server to send spam?? Where are they coming from?

The worrying thing is that no-one uses my server for smtp!!
 
Old 10-15-2004, 12:17 AM   #2
m_shroom
Member
 
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42

Rep: Reputation: 15
If you have php running some one may be trying to use the mail(); function in a php script.
 
Old 10-17-2004, 08:50 AM   #3
merlininthewood
LQ Newbie
 
Registered: Oct 2004
Location: Devon, England
Distribution: Ubuntu 10.04, Debian Lenny
Posts: 21

Original Poster
Rep: Reputation: 0
Good point. I hadn't thought of that. I guess it could be any CGI script (ie perl). Does anyone know how I can find out who and what is trying to send these emails?
 
Old 10-17-2004, 02:38 PM   #4
m_shroom
Member
 
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42

Rep: Reputation: 15
Quote:
Originally posted by merlininthewood
Good point. I hadn't thought of that. I guess it could be any CGI script (ie perl). Does anyone know how I can find out who and what is trying to send these emails?
Try searching your htdocs folder for the string in the to: e-mail address. IE "freiejgxozyhji"
or try searching your htdocs folder for the string "mail("

Last edited by m_shroom; 10-17-2004 at 02:40 PM.
 
Old 11-07-2004, 01:47 PM   #5
davidjeanneret
LQ Newbie
 
Registered: Nov 2004
Posts: 1

Rep: Reputation: 0
Fixing the MailQueueCleaner

Did you find a way to solve whatever problem the mailqueuecleaner was coming up with and stop the emails.

I've just started getting the same problem from my server.

David

PS - have you found a 1&1 root server peer support group anywhere - they don't provide anything to help us help ourselves - scum

Cheers
 
Old 11-08-2004, 05:48 AM   #6
merlininthewood
LQ Newbie
 
Registered: Oct 2004
Location: Devon, England
Distribution: Ubuntu 10.04, Debian Lenny
Posts: 21

Original Poster
Rep: Reputation: 0
I havn't got any closer to solving this problem (not enough time).

I haven't heard of a support group. Maybe we should start an independant one and see if we can get 1and1 to link to it!!

I wonder if LinuxQuestions would be up for hosting a forum??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unusual ssh cron message jburford Linux - Security 4 10-31-2005 07:57 AM
cron problem with message slick_willie Linux - General 10 05-01-2004 10:32 AM
cron job to print message to all ehpserver Linux - Newbie 1 02-28-2004 09:08 PM
cron Email MaverickApollo Linux - General 6 10-26-2003 09:00 AM
Cron Email Notification(?) jamesyreid Linux - General 2 12-17-2001 10:30 AM


All times are GMT -5. The time now is 02:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration