Possibly Compromised Sccount

[Volt55]

I believe that one of my user's cPanel accounts has been compromised on my CentOS 7.3 server. About 6 months ago they had some forwarders put on their email addresses to unknown accounts, so I deleted them and changed the cPanel password. All had been fine until a few days ago when I had an lfd email saying that a few thousand emails had been sent out. Each email had a zip file with a virus contained.

I immediately changed the cPanel password again and the affected user's email account password. The domlogs and access log (shown below and modded to protect my client) exposed the fact that the hacker accessed webmail - something my client does not use:

2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:47 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/styles.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:48 -0000] "GET /cpsess4551888955/3rdparty/roundcube/plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1489164032 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:49 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/mail.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443

'2.4.6.8' above was the offending IP address and I have blocked that in CSF deny and created a new ModSec rule to block that IP's country of origin too.

I have since disabled Roundcube, Horde and Squirrel Mail via WHM. The sending of spam has stopped for now.

My server seems up-to-date iand I have always used very strong passwords. ClamAV and MalDet return no viruses or scripts. A few questions:

1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?

2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?

3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.

4. What does 'proxy' mean in my access log snippet above?

5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?

Thanks in advance for help on any question, analysing log files or in locking down the server to prevent this happening again.

 

[cPanelMichael]

Hello,

1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?

It's possible the user's local computer was exploited, but it's difficult to pinpoint a specific vulnerability or exploit used by an attacker to obtain a cPanel user's authentication details. You can review /usr/local/cpanel/logs/access_log to get a better idea of when the unauthorized IP address first accessed cPanel.

2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?

Disabling a feature will not delete existing data. For instance, if you disable the "Email Accounts" feature, it will prevent the user from seeing that feature in cPanel, but it will not remove existing email data.

3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.

It's difficult to know for sure what files might have been manipulated when an account is compromised (or to even know if it was a root exploit or account exploit). You may want to consult with a qualified system administrator to access the affected server and investigate this further. This is explained more on the following document:

Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

4. What does 'proxy' mean in my access log snippet above?

The URL in the output you provided shows the use of the proxy subdomains feature:

Tweak Settings - Domains - Documentation - cPanel Documentation

That's where the "proxy" entry originates from in the log output you provided.

5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?

The IP address that appears for "Last Login" is not the currently-authenticated IP address. For example, if you log in via the 10.1.1.1 IP address, and then log in multiple times via the 10.2.2.2 IP address, the interface will display 10.1.1.1 as the Last Login IP address. It will not display 10.2.2.2 as the Last Login IP address until you log in via a different IP address.

Let us know if you have any additional questions.

Thank you.