Undetected Email forwarder after Hack

Razzik

• November 07, 2020 03:52

Hi Guys, After our system was partially compromised months ago, everything has been fixed and restored, patched and password changes since then. We are all good now however, one of my email accounts seems to have an email forwarder on it that I can't seem to shake. Every mail that gets sent to this account, from within the domain or outside the domain, the sender gets a undelivered message that states the following: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: replyoffice01@gmail.com (generated from john='wentzil@netram.co.za'>@mydomain.com) host gmail-smtp-in.l.google.com [108.177.126.27] SMTP error from remote mail server after RCPT TO:='replyoffice01@gmail.com'>: 550-5.2.1 The email account that you tried to reach is disabled. Learn more at 550 5.2.1 b13si934709edw.337 - gsmtp To avoid confusion. The intended recipient is john@mydomain. replyoffice01@gmail.com is the recipient of some kind of autoforwarder attached to john@mydomain's account. So it looks like during the hack, they tried to attach a forwarder to the email account to intercept communications but then the account got disabled by google for malicious activity. So every time someone emails john, it forwards the email to a disabled gmail account and google sends and error message to the person who sent john the mail. I have looked everywhere for where the forwarder is attached and I cannot find it anywhere. I've looked in Forwarders and Filters for the account in Cpanel, I've searched that users email client. There is obviously somewhere I haven't looked in WHM. Can someone please point me in the right direction? Thanks guys.

• 

  cPRex Jurassic Moderator

  • November 09, 2020 15:30

  Hey there! You may want to check /etc/valiases and /etc/vfilters to see if something is lingering there that may not be showing up in the cPanel interface. Was this a root-level hack or just a single account that was compromised?

  0
• 

  Razzik

  • November 10, 2020 07:06

  Hey there! You may want to check /etc/valiases and /etc/vfilters to see if something is lingering there that may not be showing up in the cPanel interface. Was this a root-level hack or just a single account that was compromised?

  
  Hey cPRex, Thank you for the reply. Alright I'll check that out to see if I can find anything in there. It was a single account file system hack due to a vulnerability in the webstore we had on there.. Could it be possible to run a script that injects the forwarder? if I can't find anything in those directories. Any other suggestions for places to look? Regards,

  0
• 

  cPRex Jurassic Moderator

  • November 10, 2020 12:07

  Since the account was compromised, almost anything is possible, unfortunately. If you aren't able to track that down, and you have root access to the system, you could always put in a ticket with our support team so we can take a look directly on the server. If you decide to do that, just post the ticket number here so we can update this thread with our findings as that might help someone else out in the future.

  0

Please sign in to leave a comment.