ConfigServer Community Forum

Hi ConfigServer,

We've recently noticed that the function 'LF_SCRIPT_ALERT' stopped working across all of our servers (operate approximately 100 servers in total).

Stopped working on Thursday 3rd March 2015 (date in Australia at the time).

There's only a single thing on that date that I can see has changed with exim - see: https://documentation.cpanel.net/displa ... -1531+Exim

Please note the log_selector function is set to default by cPanel:

================================================================
log_selector = +arguments +subject +received_recipients

If you already use extended exim logging, then you need to either include
+arguments +received_recipients or use +all
================================================================

Our log_selector across all servers is:

+incoming_port +smtp_connection +all_parents -retry_defer +subject +arguments +received_recipients

I believe this issue may be somehow relative to the update pushed by cPanel.

Hi CSF staff,

We have exactly the same problem!

Best regards.

Hello,

I used to receive a script alert path for any email sent but over the last 72 hours since i wanted to hire a sys to code a malware automatic removal, the alert are just gone.
I'm not sure how to fix this behavior.
It used to be enabled by default, but it suddenly changed.

These wordpress malwares are really ruining my days and if i don't have the path, it is a bit harder.

Here is what I used to receive :

Time: Sat Feb 27 21:11:41 2016 +0100
Path: '/home/potential/malware'
Count: 101 emails sent

Sample of the first 10 emails:

This is a problem with cPanel's EXIM since they implemented a fix for CVE-2016-1531. EXIM now always reports the path as / instead of the path to the script directory, i.e. cwd=/ instead of cwd=/some/script/path/

This is only something that cPanel can fix and we have reported it to them.

The end of the world is here right now .

Wordpress malware kingdom is wild opened.

We have just be informed by cPanel that they have developed a workaround that will be released imminently for EXIM that should restore the functionality. Yay!

Oh well, doomsday was avoided thanks to you!

Thanks to cPanel, they had already been working on the workaround.