Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Understanding the cPanel and Webmail access logs

Discussion in 'E-mail Discussion' started by speckados, Sep 20, 2018.

  1. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    330
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Pastrana :: Guadalajara :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I am trying to understand the slogs of access to webmail / cpanel, in which there are two users of the same domain involved.

    One, called "suspect@doamin.com" and another one "victim@domain.com"

    For logs I think I see, that the user "suspect" is logged and changes the user "victim" and that is why in the lines is seen before the timestamp, although in the GET is seen logeandose with the user "victim"

    Is my appreciation correct?


    Code:
    83.49.136.222 - suspect%40domain.com [07/19/2018:19:55:42 -0000] "GET /cpsess9045753692/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess9045753692/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - suspect%40domain.com [07/19/2018:20:05:42 -0000] "GET /cpsess7597418467/login/?session=ak@domain.com:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess7597418467/login/?session=ak@domain.com:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cPanel_magic_revision_1531798542/webmail/paper_lantern/_assets/css/master-legacy-ltr.cmb.min.css HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "POST /cpsess4915604468/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - victim%40domain.com [07/19/2018:20:14:05 -0000] "GET /cpsess7597418467/login/?session=export@domain.com:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096
    83.49.136.222 - suspect%40domain.com [07/19/2018:20:14:41 -0000] "GET /cpsess7597418467/login/?session=export@domain.com:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096
    Apreciate some help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,890
    Likes Received:
    91
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,
    Yes, that seems to be correct.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @speckados,

    The log output suggests the IP address is logged in via cPanel and is using the "Access Webmail" action in cPanel >> Email Accounts to access webmail for the different email accounts.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice