Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious Activity Errors

Discussion in 'Security' started by Talha Zahid, Mar 11, 2019.

  1. Talha Zahid

    Talha Zahid Registered

    Joined:
    Aug 3, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi
    cPanel Access Level:
    Root Administrator
    I have been facing a issue where an IP penetrated to one of our cpanel & webmail account. This have been going on for every now and then, we have to change our cpanel and webmail passwords and scan for any viruses on our servers, but this culprit keeps on getting back to us.

    Code:
      
    [root@host valiases]# echo -e '\e[38;5;82m ###############Listing suspicious sessions created on 2019-03-11 for xyz account - Cpanel Session log: \033[0m'; cat /usr/local/cpanel/logs/session_log | grep NEW --color=always | grep 2019-03-11 --color=always | grep xyz --color=always;
        ###############Listing suspicious sessions created on 2019-03-11 for xyz account - Cpanel Session log:
        [2019-03-11 02:49:02 +0500] info [webmaild] 41.203.xxx.xxx NEW imports@xyz.com:6jiUOqbsdKXbItR_qo address=41.203.xxx.xxx,app=webmaild,creator=imports@xyz.com,method=handle_form_login,path=form,possessed=0
     
    [root@host valiases]# echo -e '\e[38;5;82m ###############Traces of adding forwarders to the email account - Cpanel Access log: \033[0m'; grep 'doaddfwd.html' /usr/local/cpanel/logs/access_log | grep '03/10/2019' --color=always; echo ''; echo ''; echo '';
        ###############Traces of adding forwarders to the email account - Cpanel Access log:
        41.203.xxx.xxx - imports%xyz.com [03/10/2019:21:30:43 -0000] "POST /cpsess0524813434/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "https://xyz.com:2096/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "s" "-" 2096
     
    apache2/error_log:[Mon Mar 11 02:54:53.114482 2019] [cgi:error] [pid 31267] [client 41.203.72.162:13553] AH01215: Use of uninitialized value $ENV{"HTTPS"} in string eq at /usr/local/cpanel/Cpanel/Redirect.pm line 97.: /usr/local/cpanel/cgi-sys/wredirect.cgi
    What should i do?
    Thanks
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Talha Zahid

    What have you used to scan and what steps exactly have you taken already?

    It sounds like at this point you'd need to contact your provider or a system administrator to fully investigate/identify the source of the compromise. If you don't have a system administrator you might find one here: System Administration Services | cPanel Forums


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Talha Zahid

    Talha Zahid Registered

    Joined:
    Aug 3, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi
    cPanel Access Level:
    Root Administrator
    I have added the IP address to csf & cphulk block list, removed the forwarder and scanned the compromised account using maldet but found nothing suspicious in the result. What steps do you suggest.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Talha Zahid

    Are you running any CMS software such as WordPress on the account? Unfortunately, while you may have removed the malware it could still be re-added if you're continuing to use a vulnerable theme/plugin associated with the CMS software.

    It may be best to discuss this with your system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Talha Zahid

    Talha Zahid Registered

    Joined:
    Aug 3, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi
    cPanel Access Level:
    Root Administrator
    Hello @cPanelLauren

    yes client is using CMS on their hosting account and i am pretty sure that the intrusion did not took place as per access logs. We did discussed it with our system administrator and as per their suspection the hacker has used the password for logging into the account. And for the reference they are pointing us to the following log.

    Code:
    41.203.xx.xx - Accounts%40xyz.com [03/10/2019:21:32:24 -0000] "POST /cpsess05248344/3rdparty/roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 0 "https://xyz.com:2096/cpsess05248344/3rdparty/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "s" "-" 2096
    I'm not sure if the above log suggest that the hacked authenticated the system. Besides what's making me abit upset is the error log which i posted earlier, could it be the point of entry into the cpanel - wredirect.cgi?

    Code:
    apache2/error_log:[Mon Mar 11 02:54:53.114482 2019] [cgi:error] [pid 31267] [clien 13553] AH01215: Use of uninitialized value $ENV{"HTTPS"} in string eq at /usr/local/cpanel/Cpanel/Redirect.pm line 97.: /usr/local/cpanel/cgi-sys/wredirect.cgi            
     
    #5 Talha Zahid, Mar 12, 2019
    Last edited by a moderator: Mar 12, 2019
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,710
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    At this point as it's difficult to tell you specifically what's happening without the full picture, can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice