Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possibly Compromised Sccount

Discussion in 'Security' started by Volt55, Aug 4, 2017.

  1. Volt55

    Volt55 Member

    Joined:
    Feb 20, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I believe that one of my user's cPanel accounts has been compromised on my CentOS 7.3 server. About 6 months ago they had some forwarders put on their email addresses to unknown accounts, so I deleted them and changed the cPanel password. All had been fine until a few days ago when I had an lfd email saying that a few thousand emails had been sent out. Each email had a zip file with a virus contained.

    I immediately changed the cPanel password again and the affected user's email account password. The domlogs and access log (shown below and modded to protect my client) exposed the fact that the hacker accessed webmail - something my client does not use:

    Code:
    2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:47 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/styles.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
    2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:48 -0000] "GET /cpsess4551888955/3rdparty/roundcube/plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1489164032 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
    2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:49 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/mail.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
    '2.4.6.8' above was the offending IP address and I have blocked that in CSF deny and created a new ModSec rule to block that IP's country of origin too.

    I have since disabled Roundcube, Horde and Squirrel Mail via WHM. The sending of spam has stopped for now.

    My server seems up-to-date iand I have always used very strong passwords. ClamAV and MalDet return no viruses or scripts. A few questions:

    1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?

    2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?

    3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.

    4. What does 'proxy' mean in my access log snippet above?

    5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?

    Thanks in advance for help on any question, analysing log files or in locking down the server to prevent this happening again.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's possible the user's local computer was exploited, but it's difficult to pinpoint a specific vulnerability or exploit used by an attacker to obtain a cPanel user's authentication details. You can review /usr/local/cpanel/logs/access_log to get a better idea of when the unauthorized IP address first accessed cPanel.

    Disabling a feature will not delete existing data. For instance, if you disable the "Email Accounts" feature, it will prevent the user from seeing that feature in cPanel, but it will not remove existing email data.

    It's difficult to know for sure what files might have been manipulated when an account is compromised (or to even know if it was a root exploit or account exploit). You may want to consult with a qualified system administrator to access the affected server and investigate this further. This is explained more on the following document:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    The URL in the output you provided shows the use of the proxy subdomains feature:

    Tweak Settings - Domains - Documentation - cPanel Documentation

    That's where the "proxy" entry originates from in the log output you provided.

    The IP address that appears for "Last Login" is not the currently-authenticated IP address. For example, if you log in via the 10.1.1.1 IP address, and then log in multiple times via the 10.2.2.2 IP address, the interface will display 10.1.1.1 as the Last Login IP address. It will not display 10.2.2.2 as the Last Login IP address until you log in via a different IP address.

    Let us know if you have any additional questions.

    Thank you.
     
Loading...

Share This Page