Skip to main content

Automatically created email forwarders?

Comments

10 comments

  • cPanelMichael
    Hello, Do you have root access to this system? If so, you can review /usr/local/cpanel/logs/access_log to see if those forwarders were setup through cPanel, and if so, the IP address that created them. Thank you.
    0
  • abusam
    Hello ..
    /usr/local/cpanel/logs/access_log

    There I could see some lines like: "GET /cpsess7397808332/frontend/paper_lantern/mail/dodelfwdconfirm.html?domain=&email=s But I think it's common .. If forwarder is created what what will come in logs ?
    0
  • Infopro
    Create one and then check your log again. Be sure to remove it as well. Then look to find your IP in the log.
    0
  • abusam
    Create one and then check your log again. Be sure to remove it as well. Then look to find your IP in the log.

    I had already tried it. But in the log it's not showing the email IDs added in forwarders.
    0
  • abusam
    Hello .. I had traced it from the logs:-
    185.x.x.30 proxy jay40domain.com [07/14/2017:07:07:11 -0000] "POST /cpsess1534674095/webmail/paper_lantern/mail/doaddfwd.html HTTP/1.1" 200 0 "
    It means outside IP which accessed is 185.x.x.30, then what's this term 'proxy' ? Also I think forwarding has done via webmail URL, howz it happening because these forwarder entries were created for many other users and from other unknown IPs. thanks, Navas
    0
  • cPanelMichael
    Hello, The "proxy" entry simply means the URL was accessed via a proxy subdomain (e.g. webmail.domain.tld). Keep in mind that individual email account users can create forwarders via the webmail interface. In addition to changing the cPanel passwords, ensure to change the individual email account passwords or verify the individual email account users are not authenticating from an exploited workstation. Thank you.
    0
  • abusam
    Hello .. We have changed cpanel/WHM and affected email passwords .. Still happened again .. one more forwarder is created, we traced IPs all from EU region .. we are using paper_lantern as theme. all injections we happened via webmail .. Still do not know hows it getting email passwords ?
    0
  • rpvw
    If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?
    0
  • abusam
    If you are 100% certain the server is not compromised, have you checked the computer or device you are using to change the email account passwords for exploits or malware, eg keylogger ?

    Hello ,, The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.
    0
  • cPanelMichael
    The reason I am saying the server is not compromised because, as per the logs we could see web mail URL is being accessed many times from outside from unknown IPs and logged in with correct credentials.

    Have you verified the workstations/local computers of the customers accessing Webmail/POP3/IMAP for those email accounts are not compromised? If they were compromised, then that would explain how the email passwords were obtained and used to setup the forwarders. Thank you.
    0

Please sign in to leave a comment.