Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Domain contact information changed, not by me

Discussion in 'Security' started by theDaveB, Jul 2, 2018.

  1. theDaveB

    theDaveB Registered

    Joined:
    Jul 2, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    England
    cPanel Access Level:
    Reseller Owner
    Hi,

    First post.

    On one of my domains the contact information was changed to user@gmail.com

    I got a email alert and went in and changed it back and reset passwords etc...

    My host said this first -

    ------------
    user@gmail.com is specified as an 'access token for Pushbullet' in your contact information on cPanel account domaininquestion.co.uk and I believe that causes the issue. Please remove it if you no longer use it.
    It's actually a security token that you add to your account through the webmail interface. You can leave it blank and not use it. It is a new feature of the paper lantern theme that's being implemented with cPanel. You will receive notifications about problems when you put in a list of Access Tokens for the Pushbullet™ accounts separated by commas.
    ------------

    I have explained why would I do that, I don't even know who's that gmail account is and I have no idea what PushBullet is.

    Then they replied with this -

    ------------
    In cPanel under "contact information" there is a option named "An access token for Pushbullet" there you have specified the emial ID as "user@gmail.com".
    ------------

    I once again explained that I haven't but they won't tell me (if they even know) how it happened.

    I am just trying to find out how the contact information can be changed apart from the obvious of logging into cPanel and changing it. I know it can also be done from the WHM interface as. that's where I changed it back.

    Any ideas of what could have happened?

    Thanks,

    Dave
     
    #1 theDaveB, Jul 2, 2018
    Last edited by a moderator: Jul 2, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That would have had to have been changed manually either by API, UI or through CLI if the address is not one you recognize your provider could look through the access logs for a POST request that resembles the following:

    Code:
    <USERIPADDRESS> - $USER [07/03/2018:15:48:37 -0000] "POST /cpsessXXXXXXXX/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://server.example.come:2083/cpsess0719631041/frontend/paper_lantern/contact/saveemail.html?email=user%40gmail.com&second_email=teest%40test.com&pushbullet_access_token=&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_autossl_expiry=1&notify_autossl_expiry_coverage=1&notify_autossl_renewal_coverage=1&notify_autossl_renewal_coverage_reduced=1&notify_autossl_renewal_uncovered_domains=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" "s" "-" 2083
    specifically this portion:
    Code:
    saveemail.html?email=user%40gmail.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. theDaveB

    theDaveB Registered

    Joined:
    Jul 2, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    England
    cPanel Access Level:
    Reseller Owner
    Hi,

    Thanks for that.

    They have said they found this

    Code:
    <IPREMOVED> - wwwliverpoolstud [06/30/2018:00:29:27 -0000] "POST /cpsess9695886817/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://domainname.co.uk:2083/cpsess9695886817/frontend/paper_lantern/contact/saveemail.html?email=cvv.vbv3%40gmail.com&second_email=cvv.vbv3%40gmail.com&pushbullet_access_token=cvv.vbv3%40gmail.com&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1&notify_twofactorauth_change=1&notify_twofactorauth_change_notification_disabled=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" "s" "-" 2083
    Dave
     
    #3 theDaveB, Jul 3, 2018
    Last edited by a moderator: Jul 3, 2018
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    This indicates that someone from the IP address noted, using the account wwwliverpoolstud accessed cPanel and modified the contact information.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. theDaveB

    theDaveB Registered

    Joined:
    Jul 2, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    England
    cPanel Access Level:
    Reseller Owner
    Hi,

    This has happened again to the same domain, this time the email used is - Removed -

    I reset the cPanel password to a random password and haven't logged in using that password. So no idea how they are getting in.

    Time I moved host I think.

    Thanks,

    Dave
     
    #4 theDaveB, Jul 8, 2018
    Last edited by a moderator: Jul 8, 2018
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @theDaveB

    You may also want to scan the site with a malware scanner as well as inspect all Plugins/Themes/etc. if it's built on a CMS platform. I have seen recently where a compromised theme leads to a CronJob created which updates the contact information. If you don't have root access to the server you might ask your provider to do this for you.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice