I created an AIDE script that able to monitor file changes in my hosting, and when something file has changed, it will send an alert email about the changes. In my opinion, I don't think the script has problem. So let me share with you anyway:
Here is the script in my git repo:
To run this script, I had the cronjob running like this every 20 minutes: */20 * * * * root /usr/local/bin/maxicron/aide/maxiaide cron > /dev/null
The script did a good job giving an alert message but recently I notice that I keep getting the same email from this script which has the same date and time (04-07-2020 5:43am) with the same content. and the attachment is so big like 22MB. Sometimes I get almost a dozen mail at one time.
Screenshot:
When I view the attachment in text editor, I saw the following error in the log file from the script "File database must have one db_spec specification":
So, it means the alert did not complete the script because of an error.
I disable the cronjob for 2 days now and I still get this email. Also, I checked that I have no cronjob that run this script. I checked the mail queue exim -bp
and I found no email queue in exim. Now, the script is not running and yet I still have this alert email. In your opinion, where does this email actually come from? How can I debug where the email came from and I don't think it's coming from the script because the script is not running anymore. This is so weird
all the logs file don't seem to give any clues and because that email time and date is old, the email went straight to the last list not the top list of mailbox.
I use centOS 8, exim, dovecot, roundcube, apache_nginx, and the AIDE version is 0.16
Due to the problem about db_spec from AIDE so I found out that exim was trying to resend large attachment for many days. (I think maybe a random bug from the disk read or the way how AIDE read the AIDE database). The db_spec error from AIDE means that the database was empty (but in fact it was not). AIDE did not complete the script and causes the script to send large attachment (without any filter from aide.conf), so exim had trouble retrying to send the email with large attachment and it was stuck for many days. So, I found out that it was in one of the exim mail input folders. Clear up the input folders and the spam email MANUALLY and it is gone: