Skip to main content

cPanel e-mail forwarders hack

Comments

15 comments

  • cPanelLauren
    HI @zodiac9797 [QUOTE]Question is, is there any WHM / cPanel log were I can see who and when created this forwarder? IP address, time, method (through cPanel or some other way)?
    The only log that would show this data is the cPanel access log at /usr/local/cpanel/logs/access_log *IF* the user made the modification through the UI Otherwise, if you're sure it's a forwarder being modified in order to see if it gets changed again you could use auditd to watch /etc/valiases/domain.tld to identify what/who is modifying the file. If you're familiar with CLI a good walkthrough on how to create one can be found here:
    0
  • sparek-3
    Have you reviewed the cPanel access logs? /usr/local/cpanel/logs/access_log to see if the owner of the account is adding a fowarder to their account?
    0
  • zodiac9797
    Hi @cPanelLauren I will try with the auditd, thank you! Hi @sparek-3, I have checked cPanel access logs and found nothing. My first goal was to find out was the forwarder added through cpanel or by using some other way. Thank you for your help!
    0
  • siwis
    Similar... I've recently stumbled upon three client cpanel account that had erroneous email forwarders. Have been able to track the date the forwarders started forwarding, but have been unable to see anything in the above mentioned logs which assists. At this stage it is unclear whether the forwarders will respawn but I will be moinitoring very closely.
    0
  • Vinayak
    This seems to have become quite common now for last few months, most probably hackers steal the password from client end or some other method, then use some automated method to access webmail of the affected account to add forwarder to steal email content, or to SPAM from the affected account.
    0
  • exentric
    Just ran into the same problem, always IPs from Nigeria and the logs show that they always get in through roundcube ? can anyone else confirm this
    0
  • cPanelLauren
    Just ran into the same problem, always IPs from Nigeria and the logs show that they always get in through roundcube ? can anyone else confirm this

    My assumption would be that Roundcube just happens to be the user's default mail client, rather than that's the point of entry since you'd have to access cPanel initially to log in. This is not a new type of vulnerability and I would suggest that you thoroughly scan the contents of the accounts, as well as update passwords to ensure they're secure.
    0
  • Ovidiu Sopa
    This happen to 2 of my clients, one now 2 years ago and the latest a few days ago, each had forwarders to gmail accounts. Isn't there a way to setup WHM by default to send an notification (mail/Pushbullet/or any other already available ways) whenever a new forwarder is set ? This will be very helpfull in detecting QUICK ENOUGH ANY POTENTIAL INFORMATION THIEF. Do you guys know the exact url format we should search in the log file (url for adding a new filter)? by searching only the "email address" there are thousands of lines in that log. Thank you.
    0
  • Vinayak
    This happen to 2 of my clients, one now 2 years ago and the latest a few days ago, each had forwarders to gmail accounts. Isn't there a way to setup WHM by default to send an notification (mail/Pushbullet/or any other already available ways) whenever a new forwarder is set ? This will be very helpfull in detecting QUICK ENOUGH ANY POTENTIAL INFORMATION THIEF. Do you guys know the exact url format we should search in the log file (url for adding a new filter)? by searching only the "email address" there are thousands of lines in that log. Thank you.

    Using CSF? Try it's dir/file watch feature Either do it from WHM/CSF gui or edit "/etc/csf/csf.dirwatch" directly. Add following /etc/valiases
    Save and you are done. Whenever a forwarder is added or removed, CSF will send you an alert.
    0
  • llamaza
    You should also add a value to LF_DIRWATCH_FILE = Default: 0 [0 or 30-86400] This option allows you to have lfd watch a particular file or directory for changes and should they change and email alert using watchalert.txt is sent To enable this feature set the following to the checking interval in seconds (a value of 60 would seem sensible) and add your entries to csf.dirwatch
    0
  • zodiac9797
    This problem has escalated. Everything is like in the opening post except there is no forwarder set, at least I am unable to find it. Don't know where else to look. Checked everything in /etc/valiases, checked user cpanel -> e-mail forwarders, and nothing. For the last two days I have been looking at logs, but I just don't see where is that damn forwarder set. I can see that e-mail is sent from our mail server, I can post exim log if it helps.
    0
  • zodiac9797
    Found it! :) It was under e-mail filters. Filter name was dot "." so I didn't see it at first under "Current filters". It looks like it's empty and there are no filters set. Filter redirects all emails to some gmail address.
    0
  • stormy
    There are a number of threads on this problem but I think this one has the most information. I was looking for a way to get alerted on email forward creation, and the CSF solution is easy enough and effective, I am going to try out right away. However, I don't see an easy way to get alerted on email filter creation, which is the other part of the hack. Looking at past forum threads, the best solution would be a hook that runs after email forwarding creation and filter creation (if there's one!) and alerts the user and the server owner. This is beyond my abilities but I'm sure someone here is knowledgeable enough? Also this is becoming the biggest security problem right now, because hackers are using it to impersonate the users and divert money to different bank accounts. It's not just to send out spam from the server anymore.
    0
  • cPanelAnthony
    Hello! Our guide on standardized hooks might help.
    0
  • Curious Too
    I just ran into this problem with a corporate client. If this happens try checking these files in the user's home directory: etc/domain.com/username/filter: deliver "hacker@gmail.com" etc/domain.com/username/filter.yaml: dest: hacker@gmail.com etc/domain.com/username/filter.cache This filter did not appear anywhere in the cPanel, I had to log into the server and search.
    0

Please sign in to leave a comment.