Skip to main content

Webmail Access Cross Logs and Sessions

acadiasys
  • Edited

I recently had a user, lets call him "user1", who had complained that their Trash folder was empty before a certain date.  They claim they did not purge the folder. Upon searching the access_logs I came across the following entry:

111.111.111.111 proxy user1%40domain.com [12/15/2023:13:07:56 -0000] "POST /cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_action=purge HTTP/1.1" 308 0 "https://webmail.domain.com/cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_mbox=INBOX.Trash" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 111.111.111.111" 443

So I immediately thought user1 had purged the Trash bin on 12/15, however, they have not been to the office location 111.111.111.111 in "years", their permanent office location is 222.222.222.222, so I continued to dig through logs.

When digging into more details it appears that there may be some cross logging issues. See user1 appear to jump between originating IPs and sessions?

222.222.222.222 proxy user1%40domain.com [12/15/2023:13:07:51 -0000] "GET /cpsess7688534165/3rdparty/roundcube/index.php?_task=mail&_action=pagenav&_uid=169996&_mbox=INBOX&_remote=1&_unlock=loading1702645675314&_=1702645675282 HTTP/1.1" 200 0 "https://webmail.domain.com/cpsess7688534165/3rdparty/roundcube/index.php?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=169996&_mbox=INBOX&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 222.222.222.222" 443
222.222.222.222 proxy user1%40domain.com [12/15/2023:13:07:56 -0000] "GET /cpsess7688534165/3rdparty/roundcube/index.php?_task=mail&_action=getunread&_remote=1&_unlock=0&_=1702645675283 HTTP/1.1" 200 0 "https://webmail.domain.com/cpsess7688534165/3rdparty/roundcube/index.php?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=169996&_mbox=INBOX&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 222.222.222.222" 443
111.111.111.111 proxy user1%40domain.com [12/15/2023:13:07:56 -0000] "POST /cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_action=purge HTTP/1.1" 308 0 "https://webmail.domain.com/cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_mbox=INBOX.Trash" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 111.111.111.111" 443
111.111.111.111 proxy user2%40domain.com [12/15/2023:13:07:59 -0000] "POST /cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_action=purge HTTP/1.1" 200 0 "https://webmail.domain.com/cpsess9561702742/3rdparty/roundcube/index.php?_task=mail&_mbox=INBOX.Trash" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 111.111.111.111" 443

It also appears that they seem to have duplicate access_log entries with multiple IPs when using Webmail.  Please tell me user2 was not able to purge user1's Trash.

222.222.222.222 proxy user1%40domain.com [01/05/2024:19:26:49 -0000] "GET /cpsess0215522480/3rdparty/roundcube/index.php?_task=mail&_action=getunread&_remote=1&_unlock=0&_=1704482809661 HTTP/1.1" 200 0 "https://webmail.domain.com/cpsess0215522480/3rdparty/roundcube/index.php?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=171842&_mbox=INBOX&_action=show" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 222.222.222.222" 443
111.111.111.111 proxy user1%40domain.com [01/05/2024:19:26:49 -0000] "POST /cpsess1242665924/3rdparty/roundcube/index.php?_task=mail&_action=refresh HTTP/1.1" 308 0 "https://webmail.domain.com/cpsess1242665924/3rdparty/roundcube/index.php?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "s" "X-Forwarded-For: 111.111.111.111" 443

The above code snippet repeats periodically for this user where there are two entries at exactly the same times from the two IPs.

Anyone have any insight into why a user would be logged from a completely different location (IP) at the same time while using webmail?  Both 111.111.111.111 and 222.222.222.222 are company office locations.

If this is not a reliable way to verify if/when they purged the Trash, how can I?

Comments

16 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  Could this be a VPN connection or something else in the office network?  Other than that, I don't have a good explanation as to why the IP address would be changing.

    0
  • acadiasys

    No VPN, my first thought as well. The only commonality is that there are users from within the same cpanel account using webmail from both locations.

    0
  • cPRex Jurassic Moderator

    I'm really not sure - I wouldn't expect the user's IP address to randomly change, but that log is accurate to what is happening on the system.  You're always welcome to submit a ticket to either your host or us, depending on who the license is purchased through, for a second look at the system.

    0
  • acadiasys
    • Edited

    Licensing does not allow, wish that was not the case.

    Newfold Digital, Inc

    0
  • cPRex Jurassic Moderator

    You can always talk to your host and then they can escalate to us as necessary.

    0
  • acadiasys

    I'll try but they're pretty useless.

    0
  • acadiasys

    Any suggestions on how to better prove if/when trash was emptied?

    0
  • cPRex Jurassic Moderator

    Not really - those logs definitely show that a purge happened by *someone* but we're just confused as to who that someone was.

    0
  • acadiasys
    • Edited

    Would there be any further indicator before or after of a purge event that I might tie to one or the other?

    Any idea why there are two purge entries with the same session ID and different users?

    0
  • cPRex Jurassic Moderator

    Without seeing the system at this point, I'd really just be guessing, but that log is the best indicator. 

    0
  • acadiasys

    Newfold Digital (HostGator) ticket reference number is S-2501409.  It should be escalated to cPanel shortly.  Any assistance you can provide would be great.

    0
  • cPRex Jurassic Moderator

    I don't have a way to correlate that ticket number with anything on my end, but we'll reply to it as fast as we can!

    0
  • acadiasys

    Hey cPRex, cPanel support has responded.  Is there any way to tie you to the ticket and continue with you?

    All I have is the PrivateBin of the response from "Linux Technical Analyst II" from this past weekend.  This is going to be painfully slow if I wait for HostGator as they do not notify me when there is a response to the ticket.  Thanks in advance for anything you can do...

    0
  • cPRex Jurassic Moderator

    Is the ticket through us directly or through HostGator?  I can look on my end if it's through us, but I don't have any control over HostGator.

    0
  • acadiasys

    According to HostGator it has been escalated to cPanel, however I do not have a cPanel ticket number:

    I have escalated this issue to cPanel, as requested, and provided them the link to your forum post and the unredacted log information that you sent us, along with providing them access to your server to look into this further.

    0
  • cPRex Jurassic Moderator

    Unfortunately there isn't anything I can do on my end for that - you'll have to work through HostGator to get more details on that ticket.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post