Hackers are hacking password of email or cpanel account from user’s devices.
They set forwarders and filters
1. Forwarders
We can see all forwarders with following command
cat /etc/valiases/*
we can listchanged forwarders file of all user by following command
find /etc/valiases/* -type f -newermt “-1 days”
and can print content of changed file in given duration by following command
find /etc/valiases/* -type f -newermt “-1 days” -print | xargs cat
2. Filters
There are two level of filters. Account Level Filtering (Global Filter) and User Level Filtering.
2.1 Account Level Filtering (Global Filter)
You can get a list of all accounts with Account Level Filtering at /etc/vfilters as any files with entries have account level filters.
find /etc/vfilters/* -newermt “-1 days” -size +0c
2.2 User Level Filtering
The user level filters are actually stored in /home/username/etc/domain.com/emailusername location. You could run a search for such files by looking for /home/*/etc/*/*/filter* files.
find /home/*/etc/*/*/filter* -newermt “-1 days” -size +0c
