The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Forwarders is being added automaticaly

Discussion in 'Security' started by hyder95, Jun 21, 2016.

  1. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    Its been happening second time that forwarders is being added automatically. I have deleted before but now again the same email address is added in Forwarders against the same ID.

    Can i trace who is doing this and get logs for customer to satisfy them ??

    Here is some details you may want to know.
    Default PHP Version (.php files): 5
    PHP 5 Handler: Suphp
    PHP 5 Handler: On
    Apache Ruid2: Of
    Php Version: 5.5 with apache 2.2 (Recently i have updated Php version and rebuild the apache) Is this the cause of security breach ?? and one more thing when last time this happen i asked customer to change their all passwords like cpanel, ftp, etc.

    Thanks.
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    326
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,


    You can check mail forwarder logs using below command.

    cat /usr/local/cpanel/logs/access_log | grep forwardersemail | grep Domainname

    ( domain name is email account's domain)

    The above command will show the logs as well IP's who is added forwarders.
     
  3. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    Thanks for your prompt reply.

    I Could not get your point (domain name is email account's domain) ??
    which email account's domain ?? the one is being added in forwarders against my email account ?? or my own domaname ??

    Thanks.
     
  4. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    I assume my own domain name
    executed command :
    cat /usr/local/cpanel/logs/access_log | grep forwardersemail | grep mydomainname

    Code:
    MyIp XX:XX:XX:XX - mydomainname [06/21/2016:07:19:34 -0000] "GET /cpsess5786943873/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A49%2C%22manageaccounts%22%3A81%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://MyServerIp:2083/cpsess5786943873/frontend/x3/mail/fwds.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083
    182.185.144.189 - wingch [06/21/2016:07:19:53 -0000] "GET /cpsess5786943873/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A49%2C%22manageaccounts%22%3A82%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://MyServerIp:2083/cpsess5786943873/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083
    MyIp - wingch [06/21/2016:08:37:16 -0000] "GET /cpsess0108396155/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A50%2C%22manageaccounts%22%3A82%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://192.99.160.37:2083/cpsess0108396155/frontend/x3/mail/fwds.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083
    119.152.48.159 - zeeshan%example.com.pk [06/21/2016:09:31:57 -0000] "GET /cPanel_magic_revision_1366622830/webmail/x3/branding/forwardersemail.gif HTTP/1.1" 200 0 "http://mydomainname:2095/cpsess5089267706/webmail/x3/index.html?login=1&post_login=96073936429732" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "s" "-" 2095
    
    Results are pretty strange, Because this command shows my own machine's IP from where i am raising this questions, However customer observed the forwarders added couple of days ago.

    Any suggestions Please ??

    Thanks.
     
    #4 hyder95, Jun 21, 2016
    Last edited by a moderator: Jun 21, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,807
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    No, I have not install any thing.

    Thank You.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,807
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  8. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    Ticket raised :
    7584795
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,807
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, there were not sufficient logs to determine the cause of the issue. The user was advised to leave the forwarder in-place should the issue reoccur to allow for additional troubleshooting.

    Thank you.
     
  10. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    Okay, I will let you know if it happens again.

    Thank You.
     
Loading...

Share This Page