Hacked email account addition from outside cPanel

hicom

Well-Known Member
May 23, 2003
292
7
168
Hi,

We've caught spam being sent out from an email address for a client on the server (say [email protected]).

So we deleted that email account and all is good. After a day, we found the same email account sending spam emails again.

Logged in to cPanel for the user and found the email account was re-created [email protected], however, cPanel reports last login IP as our IP address. There is no other reference to anyone who logged into the account beside us ( /usr/local/cpanel/logs/access_log reports only our IP).

Can a hacker who knows the username/password to the account remote in to the system from outside cPanel and make modification through API calls without that being logged into the system?

Thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello :)

Authentication is required at some stage even if an email account is created through API. Review the cPanel access log for that domain name to see if you find anything of note. Also, I suggest changing the password for the cPanel account itself.

Thank you.
 

hicom

Well-Known Member
May 23, 2003
292
7
168
Thanks, but the logs are not showign anyone logged in or authenticated for that domain. Anyway to trace API logs? This is /usr/local/cpanel/logs/access_log that relates to domain=domain.com (notice June 4th when logged and deleted the email, and our 2nd login on June 5th to delete it again):

Code:
 - asns [06/04/2014:22:13:09 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=passwdpop&email=admin&domain=domain.net&password=__HIDDEN__&cache_fix=1401919990694 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"

 - asns [06/04/2014:22:13:40 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=delpop&email=admin&domain=domain.net&cache_fix=1401920021491 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"

 - asns [06/05/2014:17:56:30 -0000] "GET /cpsess847002248/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=delpop&email=admin&domain=domain.net&cache_fix=1401990992124 HTTP/1.1" 200 0 "https://server.com:2083/cpsess847002248/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0" "-"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
There is not a separate log file for changes made through the API. Are you sure the email account was properly deleted the first time? Has it been created again since?

Thank you.
 

hicom

Well-Known Member
May 23, 2003
292
7
168
There is not a separate log file for changes made through the API. Are you sure the email account was properly deleted the first time? Has it been created again since?

Thank you.
I'm positive the email account was deleted the first time, because when I saw it again, the email account had "Unlimited" while before it was deleted, it was set to the default 250MB.

Once I've changed the hosting account password, the hack stopped. I've checked /usr/local/cpanel/logs/login_log and found no login attempts under that username. The only IP that connected to the account in access_log for cPanel was my IP.

It is very strange. My only thought that someone is using type of API to connect and those commands are not logged.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
It's likely safe to assume someone had access to the entire cPanel account, considering no further email accounts were added after changing the password. I can't think of any additional log files that would help, beyond the cPanel access log.

Thank you.
 

hicom

Well-Known Member
May 23, 2003
292
7
168
I hate to bring this post again, but we just caught another client compromised in the exact same way. Someone created email account: [email protected] , and began sending hundreds of emails through it.

Checking /usr/local/cpane/logs access_log and login_log shows nobody logged in or initiated a session for that site. The Failed login_log goes back to 2012, and access_log go back to 2 weeks ago. We found no information at all on how someone managed to login and add that email account there.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
You can open a support ticket using the link in my signature if you want us to take a closer look. While the brute force itself is outside our scope of support, we might be able to look for more details on how that email account was created. Post the ticket number here so we can update this thread with the outcome.

Thank you.