Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possibly Compromised Sccount

Discussion in 'Security' started by Volt55, Aug 4, 2017.

  1. Volt55

    Volt55 Member

    Feb 20, 2017
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    I believe that one of my user's cPanel accounts has been compromised on my CentOS 7.3 server. About 6 months ago they had some forwarders put on their email addresses to unknown accounts, so I deleted them and changed the cPanel password. All had been fine until a few days ago when I had an lfd email saying that a few thousand emails had been sent out. Each email had a zip file with a virus contained.

    I immediately changed the cPanel password again and the affected user's email account password. The domlogs and access log (shown below and modded to protect my client) exposed the fact that the hacker accessed webmail - something my client does not use:

    Code: proxy [08/01/2017:12:47:47 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/styles.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For:" 443 proxy [08/01/2017:12:47:48 -0000] "GET /cpsess4551888955/3rdparty/roundcube/plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1489164032 HTTP/1.1" 200 0 "[URL='']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For:" 443 proxy [08/01/2017:12:47:49 -0000] "GET /cpsess4551888955/3rdparty/roundcube/skins/larry/mail.min.css?s=1489164033 HTTP/1.1" 200 0 "[URL='']Sign In[/URL]" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" "s" "X-Forwarded-For:" 443
    '' above was the offending IP address and I have blocked that in CSF deny and created a new ModSec rule to block that IP's country of origin too.

    I have since disabled Roundcube, Horde and Squirrel Mail via WHM. The sending of spam has stopped for now.

    My server seems up-to-date iand I have always used very strong passwords. ClamAV and MalDet return no viruses or scripts. A few questions:

    1. What files/logs can I look at to see how the attacker gained access to cPanel or webmail?

    2. If I block access to cPanel by creating a new feature list with nothing on it and applying it to that user's account will this keep all email/database/DNS settings etc?

    3. Where do I check for backdoors left behind for access later on? Cronjob seems clean.

    4. What does 'proxy' mean in my access log snippet above?

    5. The cPanel Last Login feature (which shows an IP address) seems to have stopped updating. Where is this enabled or how has it more likely been disabled?

    Thanks in advance for help on any question, analysing log files or in locking down the server to prevent this happening again.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    It's possible the user's local computer was exploited, but it's difficult to pinpoint a specific vulnerability or exploit used by an attacker to obtain a cPanel user's authentication details. You can review /usr/local/cpanel/logs/access_log to get a better idea of when the unauthorized IP address first accessed cPanel.

    Disabling a feature will not delete existing data. For instance, if you disable the "Email Accounts" feature, it will prevent the user from seeing that feature in cPanel, but it will not remove existing email data.

    It's difficult to know for sure what files might have been manipulated when an account is compromised (or to even know if it was a root exploit or account exploit). You may want to consult with a qualified system administrator to access the affected server and investigate this further. This is explained more on the following document:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    The URL in the output you provided shows the use of the proxy subdomains feature:

    Tweak Settings - Domains - Documentation - cPanel Documentation

    That's where the "proxy" entry originates from in the log output you provided.

    The IP address that appears for "Last Login" is not the currently-authenticated IP address. For example, if you log in via the IP address, and then log in multiple times via the IP address, the interface will display as the Last Login IP address. It will not display as the Last Login IP address until you log in via a different IP address.

    Let us know if you have any additional questions.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice