Email filters created by unauthorized user

[Ovidiu Sopa]

Hello,

It's the second time when one of my client has this issue, now about an year ago I discovered that all the emails received by my client ware redirected to an gmail account, he did not know anything about that forwarder. I deleted the forwarder and changed email account password and cpanel password.

Now about a month ago he asked me to send the new cpanel password, I sent it and now they told me they receive some Failed delivery emails from gmail. When I checked the email I noticed that the same thing happen again, 3 email accounts had an active filter.

The filter name was just a dot, so it's easy to miss it in the filters list

Can you tell me what logs I can search to track down who created those filters ? I tried searching for the gmail address in /usr/local/cpanel/logs/access_log but couldn't find anything .

If the filter was created trough Roundcube / Horde (if it's possible) what logs should I search?

If the forms that change the password use POST method, maybe it would be helpfull to track things if there will be some informations in the GET too, like the email address used to add the forwarder.

Also is it possible to get a notification when a new filter is created or when a new forwarder is created?

Thank you.

 

[cPanelLauren]

Hello,

The cPanel access logs at /usr/local/cpanel/logs/access_log will indicate any modifications to the filters which were made through the UI. If the modification was made by a script or over SSH it wouldn't be logged anywhere

 

[Ovidiu Sopa]

Hello,

The cPanel access logs at /usr/local/cpanel/logs/access_log will indicate any modifications to the filters which were made through the UI. If the modification was made by a script or over SSH it wouldn't be logged anywhere

Hello Lauren,

none of my clients have access to SSH, what other script might add filters to cpanel ? An PHP script can add a filter ? In what files cpanel stores the global filters and user filters?

Is there a way to receive an notification when a new filter is added ?

Thank you.

 

[cPanelLauren]

It would be possible for a script to add an email filter, yes - for example the UAPI Function UAPI Functions - Email::enable_filter - Developer Documentation - cPanel Documentation. You might check the account for malware/malicious scripts if you're unsure how it was present.

I don't believe there is something that will notify you if a new filter is present, you could disable the filters in the feature manager within WHM to disable access to this.