Domain contact information changed, not by me

[theDaveB]

Hi,

First post.

On one of my domains the contact information was changed to [email protected]

I got a email alert and went in and changed it back and reset passwords etc...

My host said this first -

------------
[email protected] is specified as an 'access token for Pushbullet' in your contact information on cPanel account domaininquestion.co.uk and I believe that causes the issue. Please remove it if you no longer use it.
It's actually a security token that you add to your account through the webmail interface. You can leave it blank and not use it. It is a new feature of the paper lantern theme that's being implemented with cPanel. You will receive notifications about problems when you put in a list of Access Tokens for the Pushbullet™ accounts separated by commas.
------------

I have explained why would I do that, I don't even know who's that gmail account is and I have no idea what PushBullet is.

Then they replied with this -

------------
In cPanel under "contact information" there is a option named "An access token for Pushbullet" there you have specified the emial ID as "[email protected]".
------------

I once again explained that I haven't but they won't tell me (if they even know) how it happened.

I am just trying to find out how the contact information can be changed apart from the obvious of logging into cPanel and changing it. I know it can also be done from the WHM interface as. that's where I changed it back.

Any ideas of what could have happened?

Thanks,

Dave

 

[cPanelLauren]

That would have had to have been changed manually either by API, UI or through CLI if the address is not one you recognize your provider could look through the access logs for a POST request that resembles the following:

<USERIPADDRESS> - $USER [07/03/2018:15:48:37 -0000] "POST /cpsessXXXXXXXX/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://server.example.come:2083/cpsess0719631041/frontend/paper_lantern/contact/saveemail.html?email=user%40gmail.com&second_email=teest%40test.com&pushbullet_access_token=&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_autossl_expiry=1&notify_autossl_expiry_coverage=1&notify_autossl_renewal_coverage=1&notify_autossl_renewal_coverage_reduced=1&notify_autossl_renewal_uncovered_domains=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" "s" "-" 2083

specifically this portion:

saveemail.html?email=user%40gmail.com

 

[theDaveB]

Hi,

Thanks for that.

They have said they found this

<IPREMOVED> - wwwliverpoolstud [06/30/2018:00:29:27 -0000] "POST /cpsess9695886817/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://domainname.co.uk:2083/cpsess9695886817/frontend/paper_lantern/contact/saveemail.html?email=cvv.vbv3%40gmail.com&second_email=cvv.vbv3%40gmail.com&pushbullet_access_token=cvv.vbv3%40gmail.com&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1&notify_twofactorauth_change=1&notify_twofactorauth_change_notification_disabled=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" "s" "-" 2083

Dave

 

[cPanelLauren]

Hello,


This indicates that someone from the IP address noted, using the account wwwliverpoolstud accessed cPanel and modified the contact information.

 

[theDaveB]

Hi,

This has happened again to the same domain, this time the email used is - Removed -

I reset the cPanel password to a random password and haven't logged in using that password. So no idea how they are getting in.

Time I moved host I think.

Thanks,

Dave

 

[cPanelLauren]

Hi @theDaveB

You may also want to scan the site with a malware scanner as well as inspect all Plugins/Themes/etc. if it's built on a CMS platform. I have seen recently where a compromised theme leads to a CronJob created which updates the contact information. If you don't have root access to the server you might ask your provider to do this for you.

Thanks!