Automatically created email forwarders?

[abusam]

Hello ...

In 2 of our cpanel email forwarders are being created automatically.. it has happened 3 times and important email are forwarding to other gmail account. The same gmail ID is added as forwarders of 3 email accounts in cpanel.

When happend it earlier, we had changed the password, but it's happened again ..

Please advice how can we trace this and can make it more secure ?

thanks,

Regards,
Navas

 

[cPanelMichael]

Hello,

Do you have root access to this system? If so, you can review /usr/local/cpanel/logs/access_log to see if those forwarders were setup through cPanel, and if so, the IP address that created them.

Thank you.

 

[abusam]

Hello ..

/usr/local/cpanel/logs/access_log

There I could see some lines like: "GET /cpsess7397808332/frontend/paper_lantern/mail/dodelfwdconfirm.html?domain=&email=s

But I think it's common ..

If forwarder is created what what will come in logs ?

 

[Infopro]

Create one and then check your log again. Be sure to remove it as well. Then look to find your IP in the log.

 

[abusam]

Create one and then check your log again. Be sure to remove it as well. Then look to find your IP in the log.

I had already tried it. But in the log it's not showing the email IDs added in forwarders.

 

[abusam]

Hello ..

I had traced it from the logs:-

185.x.x.30 proxy jay40domain.com [07/14/2017:07:07:11 -0000] "POST /cpsess1534674095/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "[URL]https://webmail.domain.com/cpsess1534674095/webmail/paper_lantern/mail/addfwd.html[/URL]" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 185.x.x.30" 443

It means outside IP which accessed is 185.x.x.30, then what's this term 'proxy' ?
Also I think forwarding has done via webmail URL, howz it happening because these forwarder entries were created for many other users and from other unknown IPs.

thanks,

Navas

 

[cPanelMichael]

Hello,

The "proxy" entry simply means the URL was accessed via a proxy subdomain (e.g. webmail.domain.tld). Keep in mind that individual email account users can create forwarders via the webmail interface. In addition to changing the cPanel passwords, ensure to change the individual email account passwords or verify the individual email account users are not authenticating from an exploited workstation.

Thank you.

 

[abusam]

Hello ..

We have changed cpanel/WHM and affected email passwords .. Still happened again .. one more forwarder is created , we traced IPs all from EU region ..
we are using paper_lantern as theme. all injections we happened via webmail .. Still do not know hows it getting email passwords ?

 

[rpvw]

If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?

 

[abusam]

If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?

Hello ,,

The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.

 

[cPanelMichael]

The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.

Have you verified the workstations/local computers of the customers accessing Webmail/POP3/IMAP for those email accounts are not compromised? If they were compromised, then that would explain how the email passwords were obtained and used to setup the forwarders.

Thank you.