Automatically created email forwarders?

abusam

Member
Mar 3, 2008
8
0
51
Hello ...

In 2 of our cpanel email forwarders are being created automatically.. it has happened 3 times and important email are forwarding to other gmail account. The same gmail ID is added as forwarders of 3 email accounts in cpanel.

When happend it earlier, we had changed the password, but it's happened again ..

Please advice how can we trace this and can make it more secure ?

thanks,

Regards,
Navas
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

Do you have root access to this system? If so, you can review /usr/local/cpanel/logs/access_log to see if those forwarders were setup through cPanel, and if so, the IP address that created them.

Thank you.
 

abusam

Member
Mar 3, 2008
8
0
51
Hello ..
/usr/local/cpanel/logs/access_log
There I could see some lines like: "GET /cpsess7397808332/frontend/paper_lantern/mail/dodelfwdconfirm.html?domain=&email=s

But I think it's common ..

If forwarder is created what what will come in logs ?
 

abusam

Member
Mar 3, 2008
8
0
51
Hello ..

I had traced it from the logs:-

Code:
185.x.x.30 proxy jay40domain.com [07/14/2017:07:07:11 -0000] "POST /cpsess1534674095/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "[URL]https://webmail.domain.com/cpsess1534674095/webmail/paper_lantern/mail/addfwd.html[/URL]" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 185.x.x.30" 443

It means outside IP which accessed is 185.x.x.30, then what's this term 'proxy' ?
Also I think forwarding has done via webmail URL, howz it happening because these forwarder entries were created for many other users and from other unknown IPs.

thanks,

Navas
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

The "proxy" entry simply means the URL was accessed via a proxy subdomain (e.g. webmail.domain.tld). Keep in mind that individual email account users can create forwarders via the webmail interface. In addition to changing the cPanel passwords, ensure to change the individual email account passwords or verify the individual email account users are not authenticating from an exploited workstation.

Thank you.
 

abusam

Member
Mar 3, 2008
8
0
51
Hello ..

We have changed cpanel/WHM and affected email passwords .. Still happened again .. one more forwarder is created , we traced IPs all from EU region ..
we are using paper_lantern as theme. all injections we happened via webmail .. Still do not know hows it getting email passwords ?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?
 
  • Like
Reactions: cPanelMichael

abusam

Member
Mar 3, 2008
8
0
51
If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?
Hello ,,

The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.
Have you verified the workstations/local computers of the customers accessing Webmail/POP3/IMAP for those email accounts are not compromised? If they were compromised, then that would explain how the email passwords were obtained and used to setup the forwarders.

Thank you.