The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked email account addition from outside cPanel

Discussion in 'Security' started by hicom, Jun 5, 2014.

  1. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    We've caught spam being sent out from an email address for a client on the server (say admin@domain.com).

    So we deleted that email account and all is good. After a day, we found the same email account sending spam emails again.

    Logged in to cPanel for the user and found the email account was re-created admin@domain.com, however, cPanel reports last login IP as our IP address. There is no other reference to anyone who logged into the account beside us ( /usr/local/cpanel/logs/access_log reports only our IP).

    Can a hacker who knows the username/password to the account remote in to the system from outside cPanel and make modification through API calls without that being logged into the system?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Authentication is required at some stage even if an email account is created through API. Review the cPanel access log for that domain name to see if you find anything of note. Also, I suggest changing the password for the cPanel account itself.

    Thank you.
     
  3. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, but the logs are not showign anyone logged in or authenticated for that domain. Anyway to trace API logs? This is /usr/local/cpanel/logs/access_log that relates to domain=domain.com (notice June 4th when logged and deleted the email, and our 2nd login on June 5th to delete it again):

    Code:
     - asns [06/04/2014:22:13:09 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=passwdpop&email=admin&domain=domain.net&password=__HIDDEN__&cache_fix=1401919990694 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"
    
     - asns [06/04/2014:22:13:40 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=delpop&email=admin&domain=domain.net&cache_fix=1401920021491 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"
    
     - asns [06/05/2014:17:56:30 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=delpop&email=admin&domain=domain.net&cache_fix=1401990992124 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There is not a separate log file for changes made through the API. Are you sure the email account was properly deleted the first time? Has it been created again since?

    Thank you.
     
  5. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    I'm positive the email account was deleted the first time, because when I saw it again, the email account had "Unlimited" while before it was deleted, it was set to the default 250MB.

    Once I've changed the hosting account password, the hack stopped. I've checked /usr/local/cpanel/logs/login_log and found no login attempts under that username. The only IP that connected to the account in access_log for cPanel was my IP.

    It is very strange. My only thought that someone is using type of API to connect and those commands are not logged.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's likely safe to assume someone had access to the entire cPanel account, considering no further email accounts were added after changing the password. I can't think of any additional log files that would help, beyond the cPanel access log.

    Thank you.
     
  7. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    I hate to bring this post again, but we just caught another client compromised in the exact same way. Someone created email account: spam@theirdomain.com , and began sending hundreds of emails through it.

    Checking /usr/local/cpane/logs access_log and login_log shows nobody logged in or initiated a session for that site. The Failed login_log goes back to 2012, and access_log go back to 2 weeks ago. We found no information at all on how someone managed to login and add that email account there.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can open a support ticket using the link in my signature if you want us to take a closer look. While the brute force itself is outside our scope of support, we might be able to look for more details on how that email account was created. Post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page