Understanding the cPanel and Webmail access logs

speckados

Well-Known Member
I am trying to understand the slogs of access to webmail / cpanel, in which there are two users of the same domain involved.

One, called "[email protected]" and another one "[email protected]"

For logs I think I see, that the user "suspect" is logged and changes the user "victim" and that is why in the lines is seen before the timestamp, although in the GET is seen logeandose with the user "victim"

Is my appreciation correct?


Code:
83.49.136.222 - suspect%40domain.com [07/19/2018:19:55:42 -0000] "GET /cpsess9045753692/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess9045753692/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - suspect%40domain.com [07/19/2018:20:05:42 -0000] "GET /cpsess7597418467/login/[email protected]:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess7597418467/login/[email protected]:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cPanel_magic_revision_1531798542/webmail/paper_lantern/_assets/css/master-legacy-ltr.cmb.min.css HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "POST /cpsess4915604468/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - victim%40domain.com [07/19/2018:20:14:05 -0000] "GET /cpsess7597418467/login/[email protected]:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
83.49.136.222 - suspect%40domain.com [07/19/2018:20:14:41 -0000] "GET /cpsess7597418467/login/[email protected]:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096
Apreciate some help.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @speckados,

The log output suggests the IP address is logged in via cPanel and is using the "Access Webmail" action in cPanel >> Email Accounts to access webmail for the different email accounts.

Thank you.