How can I find all email accounts not created bu cpanel

[abursill]

I was recently hacked and am not finding email accounts in severl of my domains \mail folders that do not show up in cpanel when i login to email.
One did show and I removed it. Though I am finding other mail folders that I did not create and can not be seem in the Email section of cppanel.
Is it safe to delete these folders?
Sorry for the typo in the message heading I am tired from cleaning up this hackers mess for days.

 

[cPanelLauren]

Hello,


Can you provide an example of what you're seeing? I'd be hesitant to tell you to remove something without first fully understanding what/which mail folders you're referencing.

 

[abursill]

In my cpanel domain accunts beofre the public_hml folder in the /mail folder there is the one account [email protected] highlighted.
This same named account has appeared in all my domain accounts since I was hacked. However it does not show up in Cpanel when I go to the mailinterface.

Excuse me it did show up in one cpanel email account on one domain and I was able to delete it. This same account is on another 4 domains but seems hidden in the cpanel email interface.
please see the attached image this in the /mail root folder of the domain before the public_html directory. There are also references to it in the /etc folder

Strange why these email accounts were created as they have not tried to send any emails. All the emails that were goingo out were sent by the defaul [email protected] account

I need to know how to either make it show in cpanel so i can remove it or remove it by ssh.
This hacker left a nasty trail of phishing stuff through my server. This seems to be the last remainig issue I have to clear up.

 

[abursill]

It would appear that somehow daily my cpanel passwords are being reset but only for the domains that have these email accounts on them.

 

[cPanelLauren]

Those are not email accounts, those are hidden folders (identified by the . at the front). They most likely contain a script that is running which would be changing your password. This would indicate that the account has a compromise.

1st I'd remove any instance of an "email account" such as this
2nd you need to thoroughly investigate the files/folders located on the account for validity. If you don't know how to do this or need assistance I'd suggest contacting your provider for further assistance.
3rd you'll need to update all passwords on the account once you're sure you've identified the source of the issue.

 

[abursill]

Hi so do I need to remove them in both the /mail amd /etc folders?
Also are there any other plaeces I need to remove records for email accounts from?

 

[cPanelLauren]

Hi so do I need to remove them in both the /mail amd /etc folders?
Also are there any other plaeces I need to remove records for email accounts from?

You'd need to remove the fake account folders anywhere they're present. What exactly is present in /home/$user/etc?

 

[abursill]

You'd need to remove the fake account folders anywhere they're present. What exactly is present in /home/$user/etc?

A folder with a link icon linking to the same account I removed it already. Thank you I wll now search my server for other files like this