History / log of password change for an email account ?

M

Markif

Member
Nov 9, 2016
16
0
76
Toulouse
cPanel Access Level
Root Administrator
Hello

Is there a log of password changes for an email box somewhere?

Use case: A consumer claims their password has been changed (but probably got it wrong), but how do you verify or prove that they haven't? Or how to tell him - if it is the case - on what date / time it happened and which user was in session from which IP.
Of course, it's not about knowing the new password, but just finding a trace of a change.

Thanks for your help
 
cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
The cPanel access logs would have logs for any access made to a cPanel service including password changes. It stores this information in GET and POST requests and may not always indicate that the action taken was a password change though. You can find the access logs at /usr/local/cpanel/logs/access_log
 
kodeslogic

kodeslogic

Well-Known Member
Apr 26, 2020
241
78
103
IN
cPanel Access Level
Root Administrator
@Markif

When you see below lines together with one after another in /usr/local/cpanel/logs/access_log there is most chances that for some email account of cPanel user "UserAccount" password modification was done.

Code: 
xx.xx.x.xxx - UserAccount [08/28/2020:00:01:05 -0000] "POST /cpsess6183611895/backend/passwordstrength.cgi HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/enable_mailbox_autocreate HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/passwd_pop HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
 
Last edited:
  • Like
Reactions: cPanelLauren
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
E SOLVED CPHulk read history reports using the command line or API Security 3
J Conflicting tech notes history of logins Security 3
D SOLVED Add country to cPHulk History Reports Security 2
M SOLVED Show login history Security 3
000 How I can take the history IP of ALL access log as ROOT? Security 5
Similar threads
SOLVED CPHulk read history reports using the command line or API
Conflicting tech notes history of logins
SOLVED Add country to cPHulk History Reports
SOLVED Show login history
How I can take the history IP of ALL access log as ROOT?
Top Bottom