Suspicious Activity Errors
I have been facing a issue where an IP penetrated to one of our cpanel & webmail account. This have been going on for every now and then, we have to change our cpanel and webmail passwords and scan for any viruses on our servers, but this culprit keeps on getting back to us.
What should i do? Thanks
[root@host valiases]# echo -e '\e[38;5;82m ###############Listing suspicious sessions created on 2019-03-11 for xyz account - Cpanel Session log: \033[0m'; cat /usr/local/cpanel/logs/session_log | grep NEW --color=always | grep 2019-03-11 --color=always | grep xyz --color=always;
###############Listing suspicious sessions created on 2019-03-11 for xyz account - Cpanel Session log:
[2019-03-11 02:49:02 +0500] info [webmaild] 41.203.xxx.xxx NEW imports@xyz.com:6jiUOqbsdKXbItR_qo address=41.203.xxx.xxx,app=webmaild,creator=imports@xyz.com,method=handle_form_login,path=form,possessed=0
[root@host valiases]# echo -e '\e[38;5;82m ###############Traces of adding forwarders to the email account - Cpanel Access log: \033[0m'; grep 'doaddfwd.html' /usr/local/cpanel/logs/access_log | grep '03/10/2019' --color=always; echo ''; echo ''; echo '';
###############Traces of adding forwarders to the email account - Cpanel Access log:
41.203.xxx.xxx - imports%xyz.com [03/10/2019:21:30:43 -0000] "POST /cpsess0524813434/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "https://xyz.com:2096/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "s" "-" 2096
apache2/error_log:[Mon Mar 11 02:54:53.114482 2019] [cgi:error] [pid 31267] [client 41.203.72.162:13553] AH01215: Use of uninitialized value $ENV{"HTTPS"} in string eq at /usr/local/cpanel/Cpanel/Redirect.pm line 97.: /usr/local/cpanel/cgi-sys/wredirect.cgiWhat should i do? Thanks
-
Hello @Talha Zahid What have you used to scan and what steps exactly have you taken already? It sounds like at this point you'd need to contact your provider or a system administrator to fully investigate/identify the source of the compromise. If you don't have a system administrator you might find one here: System Administration Services | cPanel Forums Thanks! 0 -
I have added the IP address to csf & cphulk block list, removed the forwarder and scanned the compromised account using maldet but found nothing suspicious in the result. What steps do you suggest. 0 -
Hello @Talha Zahid Are you running any CMS software such as WordPress on the account? Unfortunately, while you may have removed the malware it could still be re-added if you're continuing to use a vulnerable theme/plugin associated with the CMS software. It may be best to discuss this with your system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums Thanks! 0 -
Hello @cPanelLauren yes client is using CMS on their hosting account and i am pretty sure that the intrusion did not took place as per access logs. We did discussed it with our system administrator and as per their suspection the hacker has used the password for logging into the account. And for the reference they are pointing us to the following log. 41.203.xx.xx - Accounts%40xyz.com [03/10/2019:21:32:24 -0000] "POST /cpsess05248344/3rdparty/roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 0 "https://xyz.com:2096/cpsess05248344/3rdparty/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "s" "-" 2096
I'm not sure if the above log suggest that the hacked authenticated the system. Besides what's making me abit upset is the error log which i posted earlier, could it be the point of entry into the cpanel - wredirect.cgi?apache2/error_log:[Mon Mar 11 02:54:53.114482 2019] [cgi:error] [pid 31267] [clien 13553] AH01215: Use of uninitialized value $ENV{"HTTPS"} in string eq at /usr/local/cpanel/Cpanel/Redirect.pm line 97.: /usr/local/cpanel/cgi-sys/wredirect.cgi0 -
At this point as it's difficult to tell you specifically what's happening without the full picture, can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks! 0
Please sign in to leave a comment.
Comments
5 comments