I believe that one of my user's cPanel accounts has been compromised on my CentOS 7.3 server. About 6 months ago they had some forwarders put on their email addresses to unknown accounts, so I deleted them and changed the cPanel password. All had been fine until a few days ago when I had an lfd email saying that a few thousand emails had been sent out. Each email had a zip file with a virus contained.
I immediately changed the cPanel password again and the affected user's email account password. The domlogs and access log (shown below and modded to protect my client) exposed the fact that the hacker accessed webmail - something my client does not use:
'2.4.6.8' above was the offending IP address and I have blocked that in CSF deny and created a new ModSec rule to block that IP's country of origin too.
I have since disabled Roundcube, Horde and Squirrel Mail via WHM. The sending of spam has stopped for now.
My server seems up-to-date iand I have always used very strong passwords. ClamAV and MalDet return no viruses or scripts. A few questions:
1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?
2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?
3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.
4. What does 'proxy' mean in my access log snippet above?
5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?
Thanks in advance for help on any question, analysing log files or in locking down the server to prevent this happening again.
I immediately changed the cPanel password again and the affected user's email account password. The domlogs and access log (shown below and modded to protect my client) exposed the fact that the hacker accessed webmail - something my client does not use:
Code:
2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:47 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/styles.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:48 -0000] "GET /cpsess4551888955/3rdparty/roundcube/plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1489164032 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
2.4.6.8 proxy clientusername%40clientdomain.com [08/01/2017:12:47:49 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/mail.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='https://webmail.clientdomain.com/cpsess45519888955/3rdparty/roundcube/?_task=mail&_token=HsSARfPHTNBkqi8e35dWcsPKUoiaMlVjn']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For: 2.4.6.8" 443
I have since disabled Roundcube, Horde and Squirrel Mail via WHM. The sending of spam has stopped for now.
My server seems up-to-date iand I have always used very strong passwords. ClamAV and MalDet return no viruses or scripts. A few questions:
1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?
2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?
3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.
4. What does 'proxy' mean in my access log snippet above?
5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?
Thanks in advance for help on any question, analysing log files or in locking down the server to prevent this happening again.