AnsweredAssumed Answered

Rash of Cron Email Bounces?

Question asked by Jeff C on Sep 16, 2015
Latest reply on Sep 19, 2015 by Jeff C
All of the sudden last night for the first time, I got like 100+ email bounce messages. The emails are coming from root and being sent to the username for the website Sugar is running on but there is no email account setup for that user name which is why it is bouncing.  The strange thing is though I looked in the catchall /mail/new folder and there was 25G of files, all except 8 emails were all created since I got this bounce message. One of the right I looked at and it was a brief message about not connecting to the database. I'm not sure what is triggering these emails from being sent, whether it's a Cpanel feature for failed cron runs or it's Sugar.  If it were sugar I would expect the email should be sent to the Sugar admin account. The messages all have the subject:

Cron  cd /home/sugar/public_html/cms && /usr/bin/php-cli -f cron.php 2>&1

At about the same time I got some resource usage warnings for files on other sites on the server like wp-login.php.  My guess is that this is just an automated server hack attempt and somehow it discovered it could run the sugar cron.php file.  This seems like a security issue to me.  Seems best to me that I rename cron.php and update the crontab accordingly.  (I renamed wp-login too - another good practice I think.)

And the content of the email looked like a dump of a database structure started like...

Array
(
     [id] => a5899bbc-e917-63a5-c010-55ea81e93c41
     [related_id] => 32aa2fb8-5a72-9b75-201c-55f924c3af1b
     [module] => Cases
     [related_module] => Tasks
     [related_bean] => Task Object
         (
             [field_name_map] => Array
                 (
                     [id] => Array
                         (
                             [name] => id
                             [vname] => LBL_ID
                             [type] => id
                             [required] => 1
                             [reportable] => 1
                             [comment] => Unique identifier
                         )

                     [name] => Array
                         (
                             [name] => name
                             [vname] => LBL_SUBJECT
                             [dbType] => varchar

...

Anyone seen this happen before and no what the likely cause is?

Outcomes