Forwarders is being added automaticaly

hyder95

• June 21, 2016 01:16

Hello, Its been happening second time that forwarders is being added automatically. I have deleted before but now again the same email address is added in Forwarders against the same ID. Can i trace who is doing this and get logs for customer to satisfy them ?? Here is some details you may want to know. Default PHP Version (.php files): 5 PHP 5 Handler: Suphp PHP 5 Handler: On Apache Ruid2: Of Php Version: 5.5 with apache 2.2 (Recently i have updated Php version and rebuild the apache) Is this the cause of security breach ?? and one more thing when last time this happen i asked customer to change their all passwords like cpanel, ftp, etc. Thanks.

• 

  SysSachin

  • June 21, 2016 06:55

  Hello, You can check mail forwarder logs using below command. cat /usr/local/cpanel/logs/access_log | grep forwardersemail | grep Domainname ( domain name is email account's domain) The above command will show the logs as well IP's who is added forwarders.

  0
• 

  hyder95

  • June 21, 2016 08:45

  Hello, Thanks for your prompt reply. I Could not get your point (domain name is email account's domain) ?? which email account's domain ?? the one is being added in forwarders against my email account ?? or my own domaname ?? Thanks.

  0
• 

  hyder95

  • June 21, 2016 09:47

  Hello, I assume my own domain name executed command : cat /usr/local/cpanel/logs/access_log | grep forwardersemail | grep mydomainname
  MyIp XX:XX:XX:XX - mydomainname [06/21/2016:07:19:34 -0000] "GET /cpsess5786943873/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A49%2C%22manageaccounts%22%3A81%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://MyServerIp:2083/cpsess5786943873/frontend/x3/mail/fwds.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083 182.185.144.189 - wingch [06/21/2016:07:19:53 -0000] "GET /cpsess5786943873/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A49%2C%22manageaccounts%22%3A82%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://MyServerIp:2083/cpsess5786943873/frontend/x3/mail/pops.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083 MyIp - wingch [06/21/2016:08:37:16 -0000] "GET /cpsess0108396155/json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22userfiltering%22%3A2%2C%22spamassassin%22%3A6%2C%22maillist%22%3A3%2C%22forwardersemail%22%3A50%2C%22manageaccounts%22%3A82%2C%22nettools%22%3A1%2C%22defaultemailacct%22%3A3%2C%22webemail%22%3A4%2C%22password%22%3A5%2C%22responder%22%3A3%2C%22rawaccesslogs%22%3A3%2C%22ftpaccounts%22%3A3%2C%22latestvisitors%22%3A1%2C%22errorlogs%22%3A1%2C%22chooselog%22%3A1%2C%22csvimport%22%3A1%2C%22emailmx%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 200 0 "https://192.99.160.37:2083/cpsess0108396155/frontend/x3/mail/fwds.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31" "s" "-" 2083 119.152.48.159 - zeeshan%example.com.pk [06/21/2016:09:31:57 -0000] "GET /cPanel_magic_revision_1366622830/webmail/x3/branding/forwardersemail.gif HTTP/1.1" 200 0 "http://mydomainname:2095/cpsess5089267706/webmail/x3/index.html?login=1&post_login=96073936429732" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "s" "-" 2095
  Results are pretty strange, Because this command shows my own machine's IP from where i am raising this questions, However customer observed the forwarders added couple of days ago. Any suggestions Please ?? Thanks.

  0
• 

  cPanelMichael

  • June 22, 2016 19:46

  Hello, Have you installed any third-party applications that interact with the mail server (e.g. Antivirus, Spam Prevention)? Thank you.

  0
• 

  hyder95

  • June 23, 2016 04:53

  Hello, No, I have not install any thing. Thank You.

  0
• 

  cPanelMichael

  • June 23, 2016 18:36

  Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  hyder95

  • June 25, 2016 06:32

  Hello, Ticket raised : 7584795

  0
• 

  cPanelMichael

  • July 15, 2016 19:25

  Hello, Ticket raised : 7584795

  
  To update, there were not sufficient logs to determine the cause of the issue. The user was advised to leave the forwarder in-place should the issue reoccur to allow for additional troubleshooting. Thank you.

  0
• 

  hyder95

  • July 18, 2016 05:07

  Hello, Okay, I will let you know if it happens again. Thank You.

  0

Please sign in to leave a comment.