Password Recovery - Email Hint

ottdev

Well-Known Member
Oct 1, 2013
130
4
68
cPanel Access Level
Root Administrator
Maybe this is related to the OP's issue - this just came up...
Version 56.0/33

User tells us he tried his old username and a few different passwords, didn't work. "Then I tried to do a password reset but it tells me that the feature is disabled". So I go to his site /cpanel and click the Reset link jusy moments after he said it was disabled - this button click at least works for me and progresses to asking for the email address. But what it gives in the hint is NOT client's email, nor our email, nor any that I recognize (see pic).

I log into my WHM and check "list accounts" screen to see that his usual email address which I expected is indeed listed there (PHEW) (and only that one address is there). I simply click the Change button there beside his Contact Email. I go back to his /cpanel login page and hit Reset again and now it shows the hint which would correctly represent his email address. He receives the reset message, but he tries the pin and it won't work (I gather from the docs this is by design security-wise because not same computer since I dispatched it). Fair enough I ask him to try the Reset again - it works, he gets into his account.

WHERE DID THIS ROGUE EMAIL ADDRESS come from ?
Is it a "dummy" as part of a security block when there's been too many attempts?

I immediately checked all cpanel user config files - all have correct CONTACTEMAIL values, and none of them resembles that strange address.
(malheureusement, I didn't check his before clicking Change in WHM)

I tried reset on another account, it shows the correct email hint for that account. I will try a few more and also try to reproduce by purposefully using a bad login.
 

Attachments

ottdev

Well-Known Member
Oct 1, 2013
130
4
68
cPanel Access Level
Root Administrator
After a few bad logins, I hit Reset and enter a known username (the one I tested previously which showed my the correct hint), now it is giving me another odd email address Hint: p—[email protected]—.com
I gather/ (I HOPE) this must be random to throw crackers off the scent?
The contactemail value is again correct in user config file and in WHM.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @ottdev,

I've moved this post to it's own thread.

The hint for the email address will display a random/nonexistent email address if no contact email address is configured for the account. This is to prevent user enumeration, and will also happen if the account doesn't exist.

Thank you.
 

ottdev

Well-Known Member
Oct 1, 2013
130
4
68
cPanel Access Level
Root Administrator
Is a random address also given after too many failed attempts?
As I said, when reproducing the situation, I checked first and the correct email address was listed in the WHM and in the user's cpanel config file.

We have found recent hacker activity so we need to know if the random addresses we saw and we reproduced were in fact temporary random to thwart persistent attempts.... or hacker has altered some file with his/her own email address or hacker or some other condition caused the email to be inaccessible by the Reset script ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Is a random address also given after too many failed attempts?
To confirm, do you mean an account username that's locked by cPHulk Brute Force Protection? If so, I tested this by locking out an account through cPHulk, and then testing the password reset functionality. The contact email address configured for the cPanel account was displayed in the hint (not the entire address, just the correct hint letters). Thus, you should not see the random address when the account is locked by cPHulk and a valid contact address is configured for the account.

Thank you.
 

ottdev

Well-Known Member
Oct 1, 2013
130
4
68
cPanel Access Level
Root Administrator
No, cphulk would not have kicked in yet. Does the password reset have its own built in max bad attempts then scrambles the address?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Does the password reset have its own built in max bad attempts then scrambles the address?
The password reset functionality does include flood protection and puzzle retry protection. This is tracked in the following directory:

/var/cpanel/passreset/

However, this should not scramble the hint for the contact email address.

Thank you.
 

whipworks

Well-Known Member
Aug 19, 2014
174
7
68
cPanel Access Level
Reseller Owner
Bumping this thread. We are having the same issue. We are required to enter this random alternate email address which we did not setup, or wasn't setup. How do we remove it? If not, how do we go about making sure that the alternate email address is a real email address assigned to each account, and not just any random email address showing.
 

Attachments

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Bumping this thread. We are having the same issue. We are required to enter this random alternate email address which we did not setup, or wasn't setup. How do we remove it? If not, how do we go about making sure that the alternate email address is a real email address assigned to each account, and not just any random email address showing.
Could you verify if a contact email address is configured for the account? You can check "WHM >> List Accounts" or from within cPanel via "cPanel >> Contact Information".

Thank you.
 

chengkinhung

Active Member
Jun 15, 2007
26
3
53
I encounter the same issue, then I figure out this "reset password" is not for resetting email account but for resetting the cPanel account. If I input the correct cPanel account, then it will show the correct Hint text. if I input the email address as the "Account Name", then cPanle will just create the /var/cpanel/passreset/_fake_user_xxx and show the random text in Hint:
 

AussieGuy

Registered
Apr 20, 2015
4
2
53
Brisbane, Australia
cPanel Access Level
Reseller Owner
We were hacked recently, and the hacker was able to set their email address as this "Hint" email. I can confirm that this is not a random email if you entered the correct user profile name in the previous page. A very frustrating sistuation and I still haven't gotten to the bottom of it. I did find that the hacker's email was in this file:

~userprofilename/.contactinfo

But even after updating it there, it's still showing in the Hint area of the password reset page.
 
  • Like
Reactions: hellroy

hellroy

Registered
Dec 7, 2020
1
1
3
United Kingdom
cPanel Access Level
Root Administrator
I have the same issue AussieGuy, the hint email is the hackers address and they are constantly resetting the password and reinstalling their f&%*ing malware. I cant find where to change this all the usual places have my email address but the hint is some stupid hackers @gmail address.

My correct email is in cPanel >> Home >> Preferences >> Contact Information but if I try and recover the password using this email it says it is not recognised.

Did you have any luck finding it?
 
Last edited:
  • Like
Reactions: ougogo

ougogo

Well-Known Member
Dec 28, 2012
52
1
58
cPanel Access Level
Root Administrator
Yes exactly. The email in the contact info is good, and in the .contactinfo file too.
I have to modifiy the email to an other, then switch back to right one to apply the modification.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
The issue here is that if you are already compromised, there isn't a way to keep the attacker from changing the email address or the password reset hint on the system. That isn't the way the user gains access, but it's a result of the exploit.