Hacking Into Webmail?

[marlene]

I downloaded my log thus far for December and noted again that someone at the IP address of:

 

99.129.232.64

OrgName: AT&T Internet Services

OrgID: SIS-80

Address: 2701 N. Central Expwy # 2205.15

City: Richardson

StateProv: TX

PostalCode: 75080

Country: US

 

has been trying to get into the webmail of my employer's website in a manner that serves a 404 error. The attempt is made every day and yesterday there were 10 attempts within four minutes. All have served 404 errors except one.

 

The entries are almost always like the first example below and are usually in the evening hours, but the second example is slightly different (underlined difference):

 

99.129.232.64 - - [01/Dec/2009:19:34:02 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.2.1910.1554; Windows 6.0; MSIE 8.0.6001.18828)"

 

99.129.232.64 - - [03/Dec/2009:21:36:41 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.3.1106.427; Windows 6.0; MSIE 8.0.6001.18828)"

 

This is the first time I saw this entry for the IP and looks like it got somewhere (served up a 200):

 

99.129.232.64 - - [02/Dec/2009:19:44:45 -0500] "GET /webmail HTTP/1.1" 200 5064 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

 

The corresponding entry in the AWstats for the 3rd example: 99-129-232-64.lightspeed.milwwi.sbcglobal.net (pages)1 (hits)1 4.95 KB 02 Dec 2009 - 19:44

 

We have employees that use webmail and I see their entries all the time and there is never this "cpanel_magic_revision" text in their entries.

 

This IP and it's resulting 404 errors are constantly in my log files. I have received no complaints from the employees regarding not being able to access webmail.

 

Is this a hack attempt into the webmail? Is this something to worry about? Is there something I need to do besides banning the IP? I am not well educated on how to read user agents and such so I don't understand any of that in the log entry.

 

The reason I am a bit paranoid about hacks into the emails is because due to the nature of the business, frequently sensitive information is contained in the messages.

 

Thanks for any assistance given.

 

marlene

[TCH-Bruce]

I don't know if it's a hack attempt but I would ban the IP to block what ever it is from visiting the site any further.

[marlene]

I agree with banning the IP. Are you familiar with the cpanel reference?

 

cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico

 

 

I only see it when the suspect IP hits the site.

 

marlene

[TCH-Bruce]

I Googled for information.

 

That cPanel_magic_revision is a redirection script that performs some sleight of hand to load resources from non DocumentRoot accessible locations, in a secure way.

 

The problem here is the process is looking in the user's home directory for the branding images, rather than $reseller/cpanelbranding

 

This is a documented bug in cPanel.

[TCH-Bruce]

I spoke with support and this is not an attack it is part of the cPanel proxy service.

[SteveW]

Yes, it could be worth banning the IP, but remember similar requests could come from anywhere or lots of places. If that happens, banning IPs gets pointless.

 

This is the first time I saw this entry for the IP and looks like it got somewhere (served up a 200):

 

99.129.232.64 - - [02/Dec/2009:19:44:45 -0500] "GET /webmail HTTP/1.1" 200 5064 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

The webmail page is a login page, so the 200 is ok. It served the login page.

 

99.129.232.64 - - [01/Dec/2009:19:34:02 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.2.1910.1554; Windows 6.0; MSIE 8.0.6001.18828)"

 

99.129.232.64 - - [03/Dec/2009:21:36:41 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.3.1106.427; Windows 6.0; MSIE 8.0.6001.18828)"

I can't add anything to why these are being requested, but the 404 is accurate. There is no such folder in public_html, so the path is invalid and the file doesn't exist.

 

We have employees that use webmail and I see their entries all the time and there is never this "cpanel_magic_revision" text in their entries.

That would seem to indicate it's being requested directly for some odd reason.

[SteveW]

The only thing protecting your sensitive emails is passwords consisting of long strings of completely random characters. No words that are in the dictionary, not even by combining them or making variations. Don't let your employees, employer, co-workers try to get away with anything less.

[marlene]

Oh...thanks so much for checking all this out.

 

I did assign passwords that I feel are secure, but maybe I should reassign them, just in case.

 

I have banned the IP, so I will wait to see if an employee complains about not getting into webmail. However, when instructing the employees on how to access the webmail in the first place, I didn't mention anything about this "magic" thing because I had no knowledge of it.

 

 

Thanks again. You guys are great.

 

marlene

[telcor]

99.129.232.64 - - [01/Dec/2009:19:34:02 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.2.1910.1554; Windows 6.0; MSIE 8.0.6001.18828)"

 

99.129.232.64 - - [03/Dec/2009:21:36:41 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.3.1106.427; Windows 6.0; MSIE 8.0.6001.18828)"

 

 

The above is pretty harmless. Some visitors to your webmail URL have the google toolbar installed. The toolbar is apparently confused and trying to load the favicon for the X3 webmail. As you noticed, there are two different versions of the toolbar doing this. That likely means there are two different comptuers, behind a firewall or proxy, that are accessing webmail.

 

Based upon the log snippets you provided, this is a likely scenario ( using example.com in place of your website):

 

1. Person1 accesses example.com/webmail

2. Because /webmail is valid, a 200 status is logged in the domain log for example.com

3. The google toolbar gets confused by something in the server response ( some conjecture here as hard data is not available )

4. The google toolbar attempts to fetch the favicon for webmail, using an invalid URI. This results in the 404 entry in your domain log

5. Person2 accesses example.com/webmail

6. Steps 2 - 4 are repeated for Person2, who also has the google tool bar

 

It looks like both requests are originating on AT&T's network from Milwaukee, Wisconsin ( i.e. milwwi.sbcglobal.net ).

 

One thing to keep in mind is any domain on a cPanel server will serve up the webmail interface, regardless of whether the email account is associated with the domain or not.

[SteveW]

Nice analysis, that sounds right to me. Google Toolbar often first tries to get a favicon.ico from the same folder as the requested page instead of looking directly for the top-level favicon.ico.