Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel e-mail forwarders hack

Discussion in 'Security' started by zodiac9797, Apr 12, 2018.

  1. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    17
    Likes Received:
    3
    Trophy Points:
    53
    Hello!

    Someone keeps creating forwarder for an email account for one of our clients.
    We have noticed this because our mail queues was full of bounced emails. Targeted gmail, that someone set as a forwarder started bouncing emails because of a high rate delivery, so I guess "they" are using the same gmail account for many different forwarders.

    Question is, is there any WHM / cPanel log were I can see who and when created this forwarder? IP address, time, method (through cPanel or some other way)?

    I would like to narrow this "hack" attack, was it half-manual by stealing cPanel password and logging to cPanel and adding forwarder or this was done through some auto script.

    We have tried changing cPanel password but it didn't help, so I guess data is "leaking" from our client computer, probably some trojan or phishing method.

    Not sure if this goes here or under E-mail discussions. :)
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,424
    Likes Received:
    98
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @zodiac9797

    The only log that would show this data is the cPanel access log at /usr/local/cpanel/logs/access_log *IF* the user made the modification through the UI

    Otherwise, if you're sure it's a forwarder being modified in order to see if it gets changed again you could use auditd to watch /etc/valiases/domain.tld to identify what/who is modifying the file. If you're familiar with CLI a good walkthrough on how to create one can be found here:

    Simple example auditd configuration?

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,659
    Likes Received:
    76
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Have you reviewed the cPanel access logs?

    /usr/local/cpanel/logs/access_log

    to see if the owner of the account is adding a fowarder to their account?
     
    cPanelLauren likes this.
  4. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    17
    Likes Received:
    3
    Trophy Points:
    53
    Hi @cPanelLauren I will try with the auditd, thank you!

    Hi @sparek-3, I have checked cPanel access logs and found nothing. My first goal was to find out was the forwarder added through cpanel or by using some other way. Thank you for your help!
     
    cPanelLauren likes this.
  5. siwis

    siwis Registered

    Joined:
    Oct 10, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Similar... I've recently stumbled upon three client cpanel account that had erroneous email forwarders. Have been able to track the date the forwarders started forwarding, but have been unable to see anything in the above mentioned logs which assists.
    At this stage it is unclear whether the forwarders will respawn but I will be moinitoring very closely.
     
    #5 siwis, May 25, 2018
    Last edited: May 25, 2018
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice