LF_SCRIPT_ALERT Stopped Working

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
x3hash
Junior Member
Posts: 2
Joined: 04 Mar 2016, 23:50

LF_SCRIPT_ALERT Stopped Working

Post by x3hash »

Hi ConfigServer,

We've recently noticed that the function 'LF_SCRIPT_ALERT' stopped working across all of our servers (operate approximately 100 servers in total).

Stopped working on Thursday 3rd March 2015 (date in Australia at the time).

There's only a single thing on that date that I can see has changed with exim - see: https://documentation.cpanel.net/displa ... -1531+Exim

Please note the log_selector function is set to default by cPanel:

================================================================
log_selector = +arguments +subject +received_recipients

If you already use extended exim logging, then you need to either include
+arguments +received_recipients or use +all
================================================================

Our log_selector across all servers is:

+incoming_port +smtp_connection +all_parents -retry_defer +subject +arguments +received_recipients

I believe this issue may be somehow relative to the update pushed by cPanel.
AsTr0
Junior Member
Posts: 5
Joined: 18 Feb 2014, 21:55

Re: LF_SCRIPT_ALERT Stopped Working

Post by AsTr0 »

Hi CSF staff,

We have exactly the same problem!

Best regards.
vlar
Junior Member
Posts: 6
Joined: 05 Mar 2016, 16:29

Script Alert Disabled on 2 Servers

Post by vlar »

Hello,

I used to receive a script alert path for any email sent but over the last 72 hours since i wanted to hire a sys to code a malware automatic removal, the alert are just gone.
I'm not sure how to fix this behavior.
It used to be enabled by default, but it suddenly changed.

These wordpress malwares are really ruining my days and if i don't have the path, it is a bit harder.
vlar
Junior Member
Posts: 6
Joined: 05 Mar 2016, 16:29

Re: Script Alert Disabled on 2 Servers

Post by vlar »

Here is what I used to receive :

Time: Sat Feb 27 21:11:41 2016 +0100
Path: '/home/potential/malware'
Count: 101 emails sent

Sample of the first 10 emails:
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LF_SCRIPT_ALERT Stopped Working

Post by ForumAdmin »

This is a problem with cPanel's EXIM since they implemented a fix for CVE-2016-1531. EXIM now always reports the path as / instead of the path to the script directory, i.e. cwd=/ instead of cwd=/some/script/path/

This is only something that cPanel can fix and we have reported it to them.
vlar
Junior Member
Posts: 6
Joined: 05 Mar 2016, 16:29

Re: LF_SCRIPT_ALERT Stopped Working

Post by vlar »

The end of the world is here right now ;).

Wordpress malware kingdom is wild opened.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LF_SCRIPT_ALERT Stopped Working

Post by ForumAdmin »

We have just be informed by cPanel that they have developed a workaround that will be released imminently for EXIM that should restore the functionality. Yay!
vlar
Junior Member
Posts: 6
Joined: 05 Mar 2016, 16:29

Re: LF_SCRIPT_ALERT Stopped Working

Post by vlar »

Oh well, doomsday was avoided thanks to you!
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LF_SCRIPT_ALERT Stopped Working

Post by ForumAdmin »

Thanks to cPanel, they had already been working on the workaround.
Post Reply