The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

all of a sudden my email password stopped working, this is what I found...

Discussion in 'E-mail Discussions' started by betoranaldi, Jan 3, 2008.

  1. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    So I woke up this morning to notice that my email wasn't working. It wasn't accepting my password so I went into cpanel and reset it, all is well.

    Then I said to myself, great, let me read through all of my email accounts. At 4:33am /scripts/upcp ran.

    Email was working up until this point, at which point my home computer shut down so it wasn't checking mail anymore.

    looking at the ldf log file I have the following:

    Thu Jan 3 02:27:33 2008 lfd: mod_security triggered by xx.xx.xx.21 - 1 failure(s) in the last 165 secs
    Thu Jan 3 04:32:49 2008 lfd: /usr/local/cpanel/logs/login_log has been reset. Reopening log file
    Thu Jan 3 04:32:49 2008 lfd: Watching /usr/local/cpanel/logs/login_log...
    Thu Jan 3 04:33:20 2008 lfd: *System Integrity* has detected modified file(s): /usr/bin/prove
    Thu Jan 3 07:00:05 2008 lfd: Failed IMAP login from xx.xx.xx.17 - ignored
    Thu Jan 3 07:05:32 2008 lfd: Failed IMAP login from xx.xx.xx.17 - ignored
    Thu Jan 3 07:06:13 2008 lfd: Failed IMAP login from xx.xx.xx.17 - ignored

    The computer was turned back on at 7am which you notice starts to have failed email logins.

    I also ran the trojan scan and found the following:

    Is any of this something I should worry about? What would cause the email password to just up and change like that?


    PHP:
    Scanning for Trojan Horses
    Possible Trojan 
    - /usr/bin/xmlcatalog
    Possible Trojan 
    - /usr/bin/xmllint
    Possible Trojan 
    - /usr/bin/expect
    Possible Trojan 
    - /usr/bin/gtk-demo
    Possible Trojan 
    - /usr/bin/gtk-update-icon-cache
    Possible Trojan 
    - /usr/bin/activation-client
    Possible Trojan 
    - /usr/bin/bonobo-activation-run-query
    Possible Trojan 
    - /usr/libexec/bonobo-activation-server
    Possible Trojan 
    - /usr/sbin/bonobo-activation-sysconf
    Possible Trojan 
    - /usr/bin/gs
    Possible Trojan 
    - /usr/bin/aspell
    Possible Trojan 
    - /usr/bin/prezip-bin
    Possible Trojan 
    - /usr/bin/word-list-compress
    Possible Trojan 
    - /usr/lib64/python24/site-packages/libxml2modla
    Possible Trojan 
    - /usr/lib64/python24/site-packages/libxml2modso
    Possible Trojan 
    - /usr/sbin/libgcc_post_upgrade
    Possible Trojan 
    - /etc/crondaily/logrotate
    Possible Trojan 
    - /usr/bin/xml2-config
    Possible Trojan 
    - /usr/bin/berkeley_db41_svc
    Possible Trojan 
    - /usr/bin/berkeley_db42_svc
    Possible Trojan 
    - /usr/bin/db41_archive
    Possible Trojan 
    - /usr/bin/db41_checkpoint
    Possible Trojan 
    - /usr/bin/db41_deadlock
    Possible Trojan 
    - /usr/bin/db41_dump
    Possible Trojan 
    - /usr/bin/db41_load
    Possible Trojan 
    - /usr/bin/db41_printlog
    Possible Trojan 
    - /usr/bin/db41_recover
    Possible Trojan 
    - /usr/bin/db41_stat
    Possible Trojan 
    - /usr/bin/db41_upgrade
    Possible Trojan 
    - /usr/bin/db41_verify
    Possible Trojan 
    - /usr/bin/db42_archive
    Possible Trojan 
    - /usr/bin/db42_checkpoint
    Possible Trojan 
    - /usr/bin/db42_deadlock
    Possible Trojan 
    - /usr/bin/db42_dump
    Possible Trojan 
    - /usr/bin/db42_load
    Possible Trojan 
    - /usr/bin/db42_printlog
    Possible Trojan 
    - /usr/bin/db42_recover
    Possible Trojan 
    - /usr/bin/db42_stat
    Possible Trojan 
    - /usr/bin/db42_upgrade
    Possible Trojan 
    - /usr/bin/db42_verify
    Possible Trojan 
    - /usr/bin/csslint-06
    Possible Trojan 
    - /usr/bin/gconf-merge-tree
    Possible Trojan 
    - /usr/bin/gconftool-2
    Possible Trojan 
    - /usr/libexec/gconf-sanity-check-2
    Possible Trojan 
    - /usr/libexec/gconfd-2
    Possible Trojan 
    - /bin/gettext
    Possible Trojan 
    - /usr/bin/envsubst
    Possible Trojan 
    - /usr/bin/msgattrib
    Possible Trojan 
    - /usr/bin/msgcat
    Possible Trojan 
    - /usr/bin/msgcmp
    Possible Trojan 
    - /usr/bin/msgcomm
    Possible Trojan 
    - /usr/bin/msgconv
    Possible Trojan 
    - /usr/bin/msgen
    Possible Trojan 
    - /usr/bin/msgexec
    Possible Trojan 
    - /usr/bin/msgfilter
    Possible Trojan 
    - /usr/bin/msgfmt
    Possible Trojan 
    - /usr/bin/msggrep
    Possible Trojan 
    - /usr/bin/msginit
    Possible Trojan 
    - /usr/bin/msgmerge
    Possible Trojan 
    - /usr/bin/msgunfmt
    Possible Trojan 
    - /usr/bin/msguniq
    Possible Trojan 
    - /usr/bin/ngettext
    Possible Trojan 
    - /usr/bin/xgettext
    Possible Trojan 
    - /usr/bin/rsvg-convert
    Possible Trojan 
    - /usr/bin/rsvg-view
    Possible Trojan 
    - /usr/bin/animate
    Possible Trojan 
    - /usr/bin/compare
    Possible Trojan 
    - /usr/bin/composite
    Possible Trojan 
    - /usr/bin/conjure
    Possible Trojan 
    - /usr/bin/convert
    Possible Trojan 
    - /usr/bin/display
    Possible Trojan 
    - /usr/bin/identify
    Possible Trojan 
    - /usr/bin/import
    Possible Trojan 
    - /usr/bin/mogrify
    Possible Trojan 
    - /usr/bin/montage
    Possible Trojan 
    - /usr/sbin/pureauth
    Possible Trojan 
    - /usr/bin/cpan
    Possible Trojan 
    - /usr/bin/instmodsh
    Possible Trojan 
    - /usr/bin/prove
    Possible Trojan 
    - /usr/bin/pstruct
    Possible Trojan 
    - /usr/bin/cpan
    Possible Trojan 
    - /usr/bin/instmodsh
    Possible Trojan 
    - /usr/bin/prove
    Possible Trojan 
    - /usr/bin/pstruct
    Possible Trojan 
    - /usr/bin/xml2-config
    Possible Trojan 
    - /usr/libexec/gam_server
    Possible Trojan 
    - /usr/bin/mysqlhotcopy
    87 POSSIBLE Trojans Detected
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Is that the trojan scan from WHM? Install RKHunter or Chkrootkit (or preferrably both!) and see what results you get from them. That WHM scanner is extremely limited in it's effectiveness.

    As far as the log lines for lfd are concerned they simply look like something that was upgraded through your normal upcp process. But you should always check your upcp email or log file for any trace of an upgrade on the processes lfd lists. If you don't see any lines indicating an update you might need to investigate further. And for your original question - it could be that your email passwords weren't changed. There's an option for "repair mailbox permissions" in WHM. Could be all you needed to do was run that script to fix the problem.
     
    #2 mctDarren, Jan 3, 2008
    Last edited: Jan 3, 2008
  3. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Yes that wast the trojan scan in whm.

    I have RKhunter installed.

    I didn't know about the repair permissions thing but will have to try that next time. Would make sense that cpanel updated itself. (i followed the update script email and it did indeed update a lot of items)

    I didn't receive any message indicating that someone logged in via ssh. I have mod security, suphp running.

    So I am going to sum this up as coincidence (unless someone leads me to believe otherwise)
     
Loading...

Share This Page