Unknown email forwarding setting

BennyBS

• May 11, 2018 05:31

Hi, this happened to me 6 months ago and again recently. Basically, the mailbox user reported suspicious activity 6 months ago and when I looked into the matter I found that there was a forwarding address set that all emails received in that mailbox are also copied to another email address. When this happened 6 months ago, I just removed the forwarding setting, changed the mailbox password and my account credentials as well as set up two-way authentication. I also made sure that the mailbox user has the correct settings and that his credentials are not in a position to be compromised. Last week it happened again and this time I was baffled as there is no way that the account was compromised credentials wise, only I have access to the server backend and the password is not stored anywhere and there is two-way authentication set up. Also, the mailbox user was 100% sure it wasn't a credentials issue. The same issue, a forwarding email was set up on the mailbox to another email address unknown to both myself and the mailbox user. I suspect that there is a webmail vulnerability and I will explain why. The main CPanel server administration panel is only accessible to me and I am certain that that is safe. The mailbox user uses Outlook to read emails but obviously, the mailbox user has webmail which really he doesn't use. There are two ways of adding a forwarding address visually, the backend and webmail. Webmail, you log in and on the top right you click on the user section and it's the last option. The vulnerability is either in the webmail front end panel or a permission on a file which stores the forwarding details. The issue is that you cannot turn off webmail for mailboxes which might limit access. Webmail is very "up to the person" kind of. Most people do not use it whilst others find it useful. I would disable it as default and enable it just who needs it. Hope this may shed some light on this issue. This is happening to users, they are just not reporting it!!!

• 

  cPanelLauren

  • May 11, 2018 13:18

  HI @BennyBS Do you have an account that you can show this occurring on now? If you do I would really like for you to open a ticket using the link in my signature so that we can investigate this further. Thanks!

  0
• 

  martin MHC

  • May 11, 2018 15:48

  sideissue to your main concern: Benny you can disable specific webmails (Horde, Squirrel, etc.) in WHM --> Server Configuration --> Tweak Settings . so maybe disable them all would prevent webmail access.

  0
• 

  4est

  • November 29, 2018 05:40

  I am currently having the same issue! I even disabled forwarding from features. Somehow the hacker still managed to enable it!! can he somehow access the file system? Where is the forwarding list stored? I opened a ticket with the issue

  0
• 

  rpvw

  • November 29, 2018 09:09

  This has been reported several times now, and I have experienced it myself on one occasion. If there is some exploitable vector that is allowing miscreants to access the forwarder configuration, irrespective of whether it is via webmail or some other entry method - then we need to identify and manage this as a matter of urgency. Having said that, I wrote about this all before, on a previous post you can find at
  ***Edited to Add*** The only observation I would like to make is that; if there was a publicly available exploit (which would now be well over 6 months old) we should be getting hundreds/thousands of reports regarding the hack. So either everyone is keeping very quiet about it, or as suggested by @BennyBS, the users are just not reporting it. I love a good conspiracy theory - I am convinced that cPanel have been ordered by some three letter agency to keep quiet about it ! :-p Hope this helps

  0
• 

  cPanelLauren

  • November 29, 2018 14:15

  Hey @rpvw No conspiracy here! We treat this similarly to other compromises. File modification is not new to malware, and generally speaking none of it is something specific to cPanel itself. Usually compromises of this nature originate from one of the following sources: - Weak or shared passwords - either obtained through legitimate or illegitimate means (disgruntled employee vs. phishing scam email) - Vulnerable Plugins/Themes/Components/etc. installed on your CMS (wordpress, joomla!, etc.) cPanel has never made it a point to become involved in managing either of these two issues directly as they're not related to the software but the user. While we can ensure that our software has no mode of compromise that would allow this we cannot control what other's install. We have some documentation on maintaining security: Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation Recommended Security Settings Checklist - cPanel Knowledge Base - cPanel Documentation Some things I would also recommend:

  • Installing a malware scanner like ClamAV, Linux Malware Detect or Imunify360(for non-free) and run routine/regular scans.
  • If you use ConfigServer Firewall it also has a file/directory watch feature that will notify you when a file is added or modified
  • Ensure ALL CMS installations are up to date, along with their plugins/themes/components and remove those that aren't being used.

  There's no sure fire way to say that you'll never ever experience a compromise but following the advice provided here should help limit the possibilities that it will happen.

  0

Please sign in to leave a comment.