Password Recovery - Email Hint

[ottdev]

Maybe this is related to the OP's issue - this just came up...
Version 56.0/33

User tells us he tried his old username and a few different passwords, didn't work. "Then I tried to do a password reset but it tells me that the feature is disabled". So I go to his site /cpanel and click the Reset link jusy moments after he said it was disabled - this button click at least works for me and progresses to asking for the email address. But what it gives in the hint is NOT client's email, nor our email, nor any that I recognize (see pic).

I log into my WHM and check "list accounts" screen to see that his usual email address which I expected is indeed listed there (PHEW) (and only that one address is there). I simply click the Change button there beside his Contact Email. I go back to his /cpanel login page and hit Reset again and now it shows the hint which would correctly represent his email address. He receives the reset message, but he tries the pin and it won't work (I gather from the docs this is by design security-wise because not same computer since I dispatched it). Fair enough I ask him to try the Reset again - it works, he gets into his account.

WHERE DID THIS ROGUE EMAIL ADDRESS come from ?
Is it a "dummy" as part of a security block when there's been too many attempts?

I immediately checked all cpanel user config files - all have correct CONTACTEMAIL values, and none of them resembles that strange address.
(malheureusement, I didn't check his before clicking Change in WHM)

I tried reset on another account, it shows the correct email hint for that account. I will try a few more and also try to reproduce by purposefully using a bad login.

 

[ottdev]

After a few bad logins, I hit Reset and enter a known username (the one I tested previously which showed my the correct hint), now it is giving me another odd email address Hint: p—0@m—.com
I gather/ (I HOPE) this must be random to throw crackers off the scent?
The contactemail value is again correct in user config file and in WHM.

 

[cPanelMichael]

Hello @ottdev,

I've moved this post to it's own thread.

The hint for the email address will display a random/nonexistent email address if no contact email address is configured for the account. This is to prevent user enumeration, and will also happen if the account doesn't exist.

Thank you.

 

[ottdev]

Is a random address also given after too many failed attempts?
As I said, when reproducing the situation, I checked first and the correct email address was listed in the WHM and in the user's cpanel config file.

We have found recent hacker activity so we need to know if the random addresses we saw and we reproduced were in fact temporary random to thwart persistent attempts.... or hacker has altered some file with his/her own email address or hacker or some other condition caused the email to be inaccessible by the Reset script ?

 

[cPanelMichael]

Is a random address also given after too many failed attempts?

To confirm, do you mean an account username that's locked by cPHulk Brute Force Protection? If so, I tested this by locking out an account through cPHulk, and then testing the password reset functionality. The contact email address configured for the cPanel account was displayed in the hint (not the entire address, just the correct hint letters). Thus, you should not see the random address when the account is locked by cPHulk and a valid contact address is configured for the account.

Thank you.

 

[ottdev]

No, cphulk would not have kicked in yet. Does the password reset have its own built in max bad attempts then scrambles the address?

 

[cPanelMichael]

Does the password reset have its own built in max bad attempts then scrambles the address?

The password reset functionality does include flood protection and puzzle retry protection. This is tracked in the following directory:

/var/cpanel/passreset/

However, this should not scramble the hint for the contact email address.

Thank you.

 

[whipworks]

Bumping this thread. We are having the same issue. We are required to enter this random alternate email address which we did not setup, or wasn't setup. How do we remove it? If not, how do we go about making sure that the alternate email address is a real email address assigned to each account, and not just any random email address showing.

 

[cPanelMichael]

Bumping this thread. We are having the same issue. We are required to enter this random alternate email address which we did not setup, or wasn't setup. How do we remove it? If not, how do we go about making sure that the alternate email address is a real email address assigned to each account, and not just any random email address showing.

Could you verify if a contact email address is configured for the account? You can check "WHM >> List Accounts" or from within cPanel via "cPanel >> Contact Information".

Thank you.

 

[chengkinhung]

I encounter the same issue, then I figure out this "reset password" is not for resetting email account but for resetting the cPanel account. If I input the correct cPanel account, then it will show the correct Hint text. if I input the email address as the "Account Name", then cPanle will just create the /var/cpanel/passreset/_fake_user_xxx and show the random text in Hint:

 

[AussieGuy]

We were hacked recently, and the hacker was able to set their email address as this "Hint" email. I can confirm that this is not a random email if you entered the correct user profile name in the previous page. A very frustrating sistuation and I still haven't gotten to the bottom of it. I did find that the hacker's email was in this file:

~userprofilename/.contactinfo

But even after updating it there, it's still showing in the Hint area of the password reset page.

 

[hellroy]

I have the same issue AussieGuy, the hint email is the hackers address and they are constantly resetting the password and reinstalling their f&%*ing malware. I cant find where to change this all the usual places have my email address but the hint is some stupid hackers @gmail address.

My correct email is in cPanel >> Home >> Preferences >> Contact Information but if I try and recover the password using this email it says it is not recognised.

Did you have any luck finding it?

 

[ougogo]

Same issue here...

 

[cPRex]

@ougogo - can you get me some specific details on the behavior you're seeing? Is your issue with the password hint as well?

 

[ougogo]

Yes exactly. The email in the contact info is good, and in the .contactinfo file too.
I have to modifiy the email to an other, then switch back to right one to apply the modification.

 

[cPRex]

The issue here is that if you are already compromised, there isn't a way to keep the attacker from changing the email address or the password reset hint on the system. That isn't the way the user gains access, but it's a result of the exploit.

 

[adam_dennis]

<bump> we are seeing the same problem as described - this error message:
"The email address you provided does not match our records." when a user tries try to recover a password using the webmail interface.

.contactemail is correct.
Tried changing the contact email via the command line and the cpanel interface - same error.
Nothing in /usr/local/cpanel/

 

[adam_dennis]

Solved it.

You have to enter the "Contact Email Address" for each and every user - and it can only be done in the "User Manager" section in Preferences.
It can NOT be set in the Email Accounts section.