cPanelResources

Tutorial How To Identify Abandoned cPanel Accounts

Overview
This tutorial includes methods to help you identify abandoned or inactive cPanel accounts.

Important Notes
• We strongly recommend that you create backups for cPanel accounts you deem as abandoned before terminating the account. You can use the /usr/local/cpanel/scripts/pkgacct script to create a backup for an account. For more information, read our Pkgacct documentation.

• The instructions in this tutorial do not encompass every use-case, and therefore, prudent inspection of an account's activity is recommended before termination.

• SSH access and root-level privileges are required to execute the commands included in this tutorial.

1. Find cPanel accounts with primary domains that do not resolve to the cPanel & WHM server.
A domain that resolves to another server's IP address (or does not resolve at all) is one indicator of an abandoned account. The following command will output a list of domains that do not resolve to their cPanel account's assigned IP address:

for user in $(whmapi1 listaccts | awk '/user:/ {print $2}'); do domain=$(whmapi1 accountsummary user=$user | awk '/domain:/ {print $2}'); assignedip=$(whmapi1 accountsummary user=$user | awk '/ip:/ {print$2}') ; dnsip=$(dig +short $domain); dnsmx=$(dig MX +short $domain @8.8.8.8 | awk '{print $2}' | xargs dig +short); if [[ $dnsip != $assignedip ]]; then echo -n "$user:$domain - A - FAILS"; if [[ "$dnsmx" == "$assignedip" ]]; then echo -e " but MX for $user:$domain does point locally"; else echo ""; fi; fi ; done
Command notes:
• This command performs a DNS check on each cPanel account's primary domain and then compares the domain's publicly served A record against the IP address assigned to the cPanel account. The command does not perform a DNS check on Addon Domains, Aliases, or Subdomains.
• It's not uncommon to see cPanel accounts with domains used exclusively for specific services such as Email. In these cases, it's possible for the cPanel account to remain active even if the primary domain resolves to a remote server. This command checks if the MX record resolves to the cPanel & WHM server and outputs a warning for those domains.
• Domains using third-party services such as CloudFlare will show up in the output of this command.

2. Check the AutoSSL Logs.
cPanel & WHM's AutoSSL feature performs a check similar to the command shared under the first step in this tutorial during the Domain Control Validation process. You can browse to the Logs tab in WHM >> Manager AutoSSL to look for the following error message in the All Users log output:

resolved to an IP address “x.x.x.x” that does not exist on this server
This specific error message, while not entirely definitive, does warrant further scrutiny into the accounts status for an administrative determination on removal.

3. Find recent cPanel login sessions.

The following command will search /usr/local/cpanel/logs/session_log and output the last three dates upon which the cPanel account was accessed:

grep $USERNAME /usr/local/cpanel/logs/session_log | grep NEW | awk '{print $1}' | uniq | tail -n3
Ensure you replace $USERNAME with the username of the cPanel account to search.

To search the recent cPanel session activity for all cPanel users on the server, execute the following command:

for user in $(whmapi1 listaccts | awk '/user:/ {print $2}'); do echo "The user $user last logged in on these dates:" ; grep $user /usr/local/cpanel/logs/session_log | grep NEW | awk '{print $1}' | uniq | tail -n3 ; done
Command notes:
• This command does not differentiate between sessions created by direct cPanel logins and sessions generated from root or reseller users that access cPanel for the account directly from WHM (or with the root/reseller password).

4. Find recent email login activity.
The following command will check all email accounts on the server and output any email account (and it's cPanel username) with zero logins in the past 60 days:

how_far_back=60;echo "Checking the last $how_far_back days for email accounts with no logins";for user in $(whmapi1 listaccts|&awk '/user: / {print $2}');do all_email=$(uapi --user=$user Email list_pops|&awk '/email: / {print $2}');for email in $all_email;do for((num=0;num<=how_far_back;num++));do timestamp=$(date -d "$num days ago" "+%b %d");lastlogin=$(zegrep "$timestamp.+Login: user=<$email" /var/log/maillog*);if [[ ! -z $lastlogin ]];then break;else if [[ $num -eq $how_far_back ]];then echo "$user:$email NO RECORD SINCE $timestamp";fi;fi;done;done;done
Command notes:
• This command may take several minutes to complete on servers with high numbers of email accounts.
• You can replace "60" with your preferred number of days. Keep in mind that this command is only scanning the entries present in /var/log/maillog*.

Questions/Feedback
Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.
  • Like
Reactions: Spirogg
Author
cPanelResources
Views
1,246
First release
Last update