Undetected Email forwarder after Hack

Razzik

Registered
Nov 7, 2020
2
0
1
South Africa
cPanel Access Level
Root Administrator
Hi Guys,

After our system was partially compromised months ago, everything has been fixed and restored, patched and password changes since then. We are all good now however, one of my email accounts seems to have an email forwarder on it that I can't seem to shake.

Every mail that gets sent to this account, from within the domain or outside the domain, the sender gets a undelivered message that states the following:


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
(generated from john@mydomain.com)
host gmail-smtp-in.l.google.com [108.177.126.27]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550-5.2.1 The email account that you tried to reach is disabled. Learn more at
550 5.2.1 https://support.google.com/mail/?p=DisabledUser b13si934709edw.337 - gsmtp


Reporting-MTA: dns; mydomain.dedicated.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.2.1 The email account that you tried to reach is disabled. Learn more at
550 5.2.1 https://support.google.com/mail/?p=DisabledUser b13si934709edw.337 - gsmtp


To avoid confusion. The intended recipient is [email protected]
[email protected] is the recipient of some kind of autoforwarder attached to [email protected]'s account.

So it looks like during the hack, they tried to attach a forwarder to the email account to intercept communications but then the account got disabled by google for malicious activity. So every time someone emails john, it forwards the email to a disabled gmail account and google sends and error message to the person who sent john the mail.

I have looked everywhere for where the forwarder is attached and I cannot find it anywhere. I've looked in Forwarders and Filters for the account in Cpanel, I've searched that users email client. There is obviously somewhere I haven't looked in WHM. Can someone please point me in the right direction?

Thanks guys.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,101
285
213
cPanel Access Level
Root Administrator
Hey there! You may want to check /etc/valiases and /etc/vfilters to see if something is lingering there that may not be showing up in the cPanel interface. Was this a root-level hack or just a single account that was compromised?
 

Razzik

Registered
Nov 7, 2020
2
0
1
South Africa
cPanel Access Level
Root Administrator
Hey there! You may want to check /etc/valiases and /etc/vfilters to see if something is lingering there that may not be showing up in the cPanel interface. Was this a root-level hack or just a single account that was compromised?
Hey cPRex, Thank you for the reply.

Alright I'll check that out to see if I can find anything in there. It was a single account file system hack due to a vulnerability in the webstore we had on there.. Could it be possible to run a script that injects the forwarder?
if I can't find anything in those directories. Any other suggestions for places to look?

Regards,
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,101
285
213
cPanel Access Level
Root Administrator
Since the account was compromised, almost anything is possible, unfortunately. If you aren't able to track that down, and you have root access to the system, you could always put in a ticket with our support team so we can take a look directly on the server.

If you decide to do that, just post the ticket number here so we can update this thread with our findings as that might help someone else out in the future.