How can I find all email accounts not created bu cpanel

abursill

Member
Nov 8, 2019
16
3
3
Thailand
cPanel Access Level
Website Owner
I was recently hacked and am not finding email accounts in severl of my domains \mail folders that do not show up in cpanel when i login to email.
One did show and I removed it. Though I am finding other mail folders that I did not create and can not be seem in the Email section of cppanel.
Is it safe to delete these folders?
Sorry for the typo in the message heading I am tired from cleaning up this hackers mess for days.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hello,


Can you provide an example of what you're seeing? I'd be hesitant to tell you to remove something without first fully understanding what/which mail folders you're referencing.
 

abursill

Member
Nov 8, 2019
16
3
3
Thailand
cPanel Access Level
Website Owner
In my cpanel domain accunts beofre the public_hml folder in the /mail folder there is the one account [email protected] highlighted.
This same named account has appeared in all my domain accounts since I was hacked. However it does not show up in Cpanel when I go to the mailinterface.

Excuse me it did show up in one cpanel email account on one domain and I was able to delete it. This same account is on another 4 domains but seems hidden in the cpanel email interface.
please see the attached image this in the /mail root folder of the domain before the public_html directory. There are also references to it in the /etc folder

Strange why these email accounts were created as they have not tried to send any emails. All the emails that were goingo out were sent by the defaul [email protected] account

I need to know how to either make it show in cpanel so i can remove it or remove it by ssh.
This hacker left a nasty trail of phishing stuff through my server. This seems to be the last remainig issue I have to clear up.
 

Attachments

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Those are not email accounts, those are hidden folders (identified by the . at the front). They most likely contain a script that is running which would be changing your password. This would indicate that the account has a compromise.

1st I'd remove any instance of an "email account" such as this
2nd you need to thoroughly investigate the files/folders located on the account for validity. If you don't know how to do this or need assistance I'd suggest contacting your provider for further assistance.
3rd you'll need to update all passwords on the account once you're sure you've identified the source of the issue.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hi so do I need to remove them in both the /mail amd /etc folders?
Also are there any other plaeces I need to remove records for email accounts from?
You'd need to remove the fake account folders anywhere they're present. What exactly is present in /home/$user/etc?