Understanding the cPanel and Webmail access logs

speckados

• September 20, 2018 09:43

I am trying to understand the slogs of access to webmail / cpanel, in which there are two users of the same domain involved. One, called "suspect@doamin.com" and another one "victim@domain.com" For logs I think I see, that the user "suspect" is logged and changes the user "victim" and that is why in the lines is seen before the timestamp, although in the GET is seen logeandose with the user "victim" Is my appreciation correct? 83.49.136.222 - suspect%40domain.com [07/19/2018:19:55:42 -0000] "GET /cpsess9045753692/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess9045753692/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - suspect%40domain.com [07/19/2018:20:05:42 -0000] "GET /cpsess7597418467/login/?session=ak@domain.com:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess7597418467/login/?session=ak@domain.com:JYmFOGrDmsIWAWo9,e0eff3f3f08252290669a86d2ed6f7e1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:05:58 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cPanel_magic_revision_1531798542/webmail/paper_lantern/_assets/css/master-legacy-ltr.cmb.min.css HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "POST /cpsess4915604468/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:05:59 -0000] "GET /cpsess4915604468/webmail/paper_lantern/index.html?mailclient=roundcube HTTP/1.1" 200 0 "https://www.domain.com:2096/cpsess4915604468/webmail/paper_lantern/index.html?login=1&post_login=27473858445326" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - victim%40domain.com [07/19/2018:20:14:05 -0000] "GET /cpsess7597418467/login/?session=export@domain.com:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "s" "-" 2096 83.49.136.222 - suspect%40domain.com [07/19/2018:20:14:41 -0000] "GET /cpsess7597418467/login/?session=export@domain.com:Gim1lqTzE7jCSGDu,23ad4e148c07fd498d295f20c3253ba4 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" "-" "-" 2096
Apreciate some help.

• 

  24x7server

  • September 20, 2018 15:46

  Hi,

  Is my appreciation correct?

  
  Yes, that seems to be correct.

  0
• 

  cPanelMichael

  • September 21, 2018 14:50

  Hello @speckados, The log output suggests the IP address is logged in via cPanel and is using the "Access Webmail" action in cPanel >> Email Accounts to access webmail for the different email accounts. Thank you.

  0

Please sign in to leave a comment.