Here's me running mail command in a CentOS 7 server:
[root@ ~]# mail
Heirloom Mail version [version no.]. Type ? for help.
"/var/spool/mail/root": 2 messages
> 1 (Cron Daemon) [date] [time] ##/### "Cron <root@[fs]-[os]> cd /var/lib/vz-guest"
Upon opening the #1 mail, I get:
Message 1:
From root@hfs-[os].[serverurl].net [date] [time] [year]
Return-Path: <root@[fs]-[os].[serverurl].com>
X-Original-To: root
Delivered-To: root@[fs]-[os].[serverurl].com
From: "(Cron Daemon)" <root@[fs]-[os].[serverurl].com>
To: root@hfs-[os].[serverurl].net
Subject: Cron <root@[fs]-[os]> cd /var/lib/vz-guest-tools && ( bash ./install | logger -t 'VZTOOLS_udev{cron}' ) && cd /var/lib && rm -rf /var/lib/vz-guest-tools ; sed -i '/vz-guest-tools/d' /etc/crontab
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=1>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Date: [date] [time] +0000 (UTC)
Status: RO
Created symlink from /etc/systemd/system/multi-user.target.wants/fstrim.timer to /usr/lib/systemd/system/fstrim.timer.
Failed to stop qemu-guest-agent.service: Unit qemu-guest-agent.service not loaded.
My hosting provider says this doesn't look like it's coming from them. Maillogs are not available. How can I know where this came from?
Note: My server was an open email relay for a few days, may this just be a bulk mail that got into this server that way, and is just scaring us?
Note 2: I can't find directory /var/lib/vz-guest-tools, but I do see /etc/systemd/system/multi-user.target.wants/fstrim.timer
Note 3: The date of the message is of a date when the server wasn't active at all.
