The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Automatically created email forwarders?

Discussion in 'E-mail Discussions' started by abusam, Aug 9, 2017.

Tags:
  1. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello ...

    In 2 of our cpanel email forwarders are being created automatically.. it has happened 3 times and important email are forwarding to other gmail account. The same gmail ID is added as forwarders of 3 email accounts in cpanel.

    When happend it earlier, we had changed the password, but it's happened again ..

    Please advice how can we trace this and can make it more secure ?

    thanks,

    Regards,
    Navas
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you have root access to this system? If so, you can review /usr/local/cpanel/logs/access_log to see if those forwarders were setup through cPanel, and if so, the IP address that created them.

    Thank you.
     
  3. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello ..
    There I could see some lines like: "GET /cpsess7397808332/frontend/paper_lantern/mail/dodelfwdconfirm.html?domain=&email=s

    But I think it's common ..

    If forwarder is created what what will come in logs ?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Create one and then check your log again. Be sure to remove it as well. Then look to find your IP in the log.
     
  5. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    I had already tried it. But in the log it's not showing the email IDs added in forwarders.
     
  6. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello ..

    I had traced it from the logs:-

    Code:
    185.x.x.30 proxy jay40domain.com [07/14/2017:07:07:11 -0000] "POST /cpsess1534674095/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "[URL]https://webmail.domain.com/cpsess1534674095/webmail/paper_lantern/mail/addfwd.html[/URL]" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 185.x.x.30" 443

    It means outside IP which accessed is 185.x.x.30, then what's this term 'proxy' ?
    Also I think forwarding has done via webmail URL, howz it happening because these forwarder entries were created for many other users and from other unknown IPs.

    thanks,

    Navas
     
    #6 abusam, Aug 9, 2017
    Last edited by a moderator: Aug 9, 2017
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The "proxy" entry simply means the URL was accessed via a proxy subdomain (e.g. webmail.domain.tld). Keep in mind that individual email account users can create forwarders via the webmail interface. In addition to changing the cPanel passwords, ensure to change the individual email account passwords or verify the individual email account users are not authenticating from an exploited workstation.

    Thank you.
     
  8. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello ..

    We have changed cpanel/WHM and affected email passwords .. Still happened again .. one more forwarder is created , we traced IPs all from EU region ..
    we are using paper_lantern as theme. all injections we happened via webmail .. Still do not know hows it getting email passwords ?
     
  9. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    260
    Likes Received:
    76
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?
     
    cPanelMichael likes this.
  10. abusam

    abusam Member

    Joined:
    Mar 3, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello ,,

    The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.
     
Loading...

Share This Page