Unauthorized email access to linked node via cphttpd
AnsweredDear Community,
We have a linked node mail server and it's the second time this month a client has a security breach, as someone is accessing directly to webmail using cphttpd service instead of webmaild, as legitimate users do.
We've been actively monitoring and passwords (very secure) hasn't been disclosed and there are no previous events of brute force so we have no clue of how hackers had access.
This can be seen in /usr/local/cpanel/logs/session_log, being this a legitime access to webmail:
[2024-11-05 16:50:06 +0100] info [webmaild] 79.117.113.14 NEW facturacion@domain.tld:ltcaIz0bp_xaph7G address=79.117.X.X,app=webmaild,creator=domaintld,method=handle_form_login,path=loadsession:facturacion@domain.tld:N35qE5ATwzoy6LqE:CREATE_WEBMAIL_SESSION_FOR_MAIL_USER,possessed=0
And this is a fraudulent access:
[2024-11-05 14:09:36 +0100] info [cphttpd] 105.120.128.27 NEW facturacion@domain.tld:S4lntSdMBXiVk5gm address=105.120.128.27,app=webmaild,creator=facturacion@domain.tld,method=handle_form_login,path=form,possessed=0
Is [cphttpd] and app=webmaild combination possible in cPanel normal operation? What is the meaning?
Regards,
-
Hey there! I spoke with the team and we all thought it would be best if you made a ticket for this issue so we could examine both the webserver and the node system. Are you able to create that ticket?
0 -
Hi cPRex,
All my licenses are bought through your partner OVH. I think you removed the ability to create new tickets for us, haven't you? Maybe, as this could be a defect in your product, you prefer to open a ticket anyway.
Thanks in advance,
0 -
Could you email cs@cpanel.net with "Attention: Rex" as part of the subject?
0 -
I saw that email come in and I have someone looking into that now.
0 -
I just wanted to follow up to say that our team determined this is normal activity on a server and what the connection logs should show when the system receives a connection from the parent webserver.
0 -
Hi cPRexm,
I'm going to close the ticket as this behaviour is expected, depending on URL used to access webmail, if it's from main server or directly to linked mail node. We had a security event but seems not related to this.
Thanks for your support.
0 -
You're very welcome!
0
Please sign in to leave a comment.
Comments
7 comments