shadow file (for email client) empty

Gastón

Member
May 5, 2016
15
0
1
Argentina
cPanel Access Level
DataCenter Provider
Hello everybody, today I have a weird problem with one of my CPANEL Servers, one of our clients reported that they were unable to login to their email accounts. I found that the file /home/$usermane/etc/$domain/shadow has only one user in it, and there was other file "/home/$usermane/etc/$domain/shadow.roottn.bak" with all the users/and encrypted passwords.
I copied the missing accounts from the .bak file to the original shadow, restarted the dovecot and the problem was solved, BUT....

The problem replicated in several accounts of the server.... what caused it ? Any script that failed ? Which log can I check it to see what happened ?

Thank you very much as always,

Regards.

Gastón.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @Gastón,

It seems like someone with root access to your system manually moved the existing shadow files out of the way. Can you check with any of your system administrators or hosting provider to see if this was done intentionally?

Thank you.
 

orlandobond

Registered
Feb 11, 2016
2
0
1
Romania
cPanel Access Level
Root Administrator
Hello,

Most probably the account is infected with Bksmile **(RooTTN)


On the account do a find:

Code:
find /home/CpanelUser/ -type f -name "*" -exec grep -l "RooTTN" {} \;
 
Last edited by a moderator: