Skip to main content

Domain contact information changed, not by me

Comments

5 comments

  • cPanelLauren
    That would have had to have been changed manually either by API, UI or through CLI if the address is not one you recognize your provider could look through the access logs for a POST request that resembles the following: - $USER [07/03/2018:15:48:37 -0000] "POST /cpsessXXXXXXXX/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://server.example.come:2083/cpsess0719631041/frontend/paper_lantern/contact/saveemail.html?email=user%40gmail.com&second_email=teest%40test.com&pushbullet_access_token=&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_autossl_expiry=1&notify_autossl_expiry_coverage=1&notify_autossl_renewal_coverage=1&notify_autossl_renewal_coverage_reduced=1&notify_autossl_renewal_uncovered_domains=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" "s" "-" 2083
    specifically this portion: saveemail.html?email=user%40gmail.com
    0
  • theDaveB
    Hi, Thanks for that. They have said they found this - wwwliverpoolstud [06/30/2018:00:29:27 -0000] "POST /cpsess9695886817/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://domainname.co.uk:2083/cpsess9695886817/frontend/paper_lantern/contact/saveemail.html?email=cvv.vbv3%40gmail.com&second_email=cvv.vbv3%40gmail.com&pushbullet_access_token=cvv.vbv3%40gmail.com&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1&notify_twofactorauth_change=1&notify_twofactorauth_change_notification_disabled=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" "s" "-" 2083
    Dave
    0
  • cPanelLauren
    Hello, This indicates that someone from the IP address noted, using the account wwwliverpoolstud accessed cPanel and modified the contact information.
    0
  • theDaveB
    Hi, This has happened again to the same domain, this time the email used is - Removed - I reset the cPanel password to a random password and haven't logged in using that password. So no idea how they are getting in. Time I moved host I think. Thanks, Dave
    0
  • cPanelLauren
    Hi @theDaveB You may also want to scan the site with a malware scanner as well as inspect all Plugins/Themes/etc. if it's built on a CMS platform. I have seen recently where a compromised theme leads to a CronJob created which updates the contact information. If you don't have root access to the server you might ask your provider to do this for you. Thanks!
    0

Please sign in to leave a comment.