Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel e-mail forwarders hack

Discussion in 'Security' started by zodiac9797, Apr 12, 2018.

  1. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    53
    Hello!

    Someone keeps creating forwarder for an email account for one of our clients.
    We have noticed this because our mail queues was full of bounced emails. Targeted gmail, that someone set as a forwarder started bouncing emails because of a high rate delivery, so I guess "they" are using the same gmail account for many different forwarders.

    Question is, is there any WHM / cPanel log were I can see who and when created this forwarder? IP address, time, method (through cPanel or some other way)?

    I would like to narrow this "hack" attack, was it half-manual by stealing cPanel password and logging to cPanel and adding forwarder or this was done through some auto script.

    We have tried changing cPanel password but it didn't help, so I guess data is "leaking" from our client computer, probably some trojan or phishing method.

    Not sure if this goes here or under E-mail discussions. :)
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @zodiac9797

    The only log that would show this data is the cPanel access log at /usr/local/cpanel/logs/access_log *IF* the user made the modification through the UI

    Otherwise, if you're sure it's a forwarder being modified in order to see if it gets changed again you could use auditd to watch /etc/valiases/domain.tld to identify what/who is modifying the file. If you're familiar with CLI a good walkthrough on how to create one can be found here:

    Simple example auditd configuration?

    Thank you,
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,601
    Likes Received:
    64
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Have you reviewed the cPanel access logs?

    /usr/local/cpanel/logs/access_log

    to see if the owner of the account is adding a fowarder to their account?
     
    cPanelLauren likes this.
  4. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    53
    Hi @cPanelLauren I will try with the auditd, thank you!

    Hi @sparek-3, I have checked cPanel access logs and found nothing. My first goal was to find out was the forwarder added through cpanel or by using some other way. Thank you for your help!
     
Loading...

Share This Page