I received a notification email this morning that the contact email on an account had been changed to 'h g n g g o t c h a @ gmail (minus the spaces). The email is legitimate and was sent from the server, and the address had been changed. The given account's cpanel is not logged into, and occasionally is accessed from the reseller account. The account had a secure random password. I don't find any evidence of a cpanel login or anything. I've looked through logs in /var/log, /usr/local/cpanel/logs, and /etc/apache2/logs (and domlogs) as well as the accounts logs directory. I am scouring the account looking for any changes there - where else might some evidence of how this change happened be logged? Manually changing the .contactemail file does not seem to trigger the notification...
Hey there! The most likely explanation would be SSH if that user had SSH access enabled on their account. A user compromised the cPanel password through a keylogger tool (or something similar), then accessed SSH, then manually updated the contact details to get the password reset email sent to them.
This could also happen through File Manager, but that would show up in the cPanel access_log file.
Did you check /var/log/secure for any entries related to that cPanel username?
This could also happen through File Manager, but that would show up in the cPanel access_log file.
Did you check /var/log/secure for any entries related to that cPanel username?
That account does not have a shell configured and I found nothing in the mail logs indicating mail to that account other than the contact change notification. Nothing in secure indicating access to that account other than the periodic wp-toolkit messages.
Those were the best guesses off the top of my head. You're always welcome to submit a ticket to our team so we can check things on our end, but our assistance with security is very limited, usually to root compromises. It might be best to work with a third-party administrator if you aren't able to track this down on your end.
Thanks, I was more interested to see if anyone else had seen something like this as no files appear to have been changed and no other evidence of any malicious behavior has been found.
It's relatively common for that to happen, but it seems odd for that to be the only change. Usually the whole point of that type of change is to get access to the cPanel account to upload files, send email, or use the web space, but it's odd that nothing else has been changed.