The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone is deleting Email Account

Discussion in 'Security' started by crazyaboutlinux, Feb 28, 2011.

  1. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Someone is deleting Email Account i don't know how it is being done, whether it is being done by any kind of malware, trojan scrips or by human being.

    whatever it is, but is deleting only 1 email account and which is main email id of the cPanel Account Holder.

    how to find out this issue & also how to find out who & when deleted email account.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You can check the access logs for logins for that account at /usr/local/cpanel/logs/access_log location:

    Code:
    grep emailuser /usr/local/cpanel/logs/access_log
    When you mention this is the main email account being removed, do you mean the cPanel username account? If so, is the folder itself missing at /home/user/mail/ location? You might want to check the FTP logs, since these folders can be removed using FTP:

    Code:
    grep emailuser /var/log/messages
    Thanks.
     
  3. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Hi Tristan,

    thank you for replying

    When you mention this is the main email account being removed, do you mean the cPanel username account?
    >> No, I meant that it is owners mail id not cPanel username account

    I ran
    grep emailuser@example.com /usr/local/cpanel/logs/access_log

    the shows logs after 02/26/2011 i want before the date

    Secondly
    grep emailuser@example.com /var/log/messages

    doesn't give any output.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You need to run the command for /var/log/messages as just the email user's name not the full email address. If they removed the folder via FTP, the folder isn't named emailuser@example.com but emailuser at the path /home/username/mail/example.com/emailuser so you'll never get a return for the grep you performed. In the path I noted, username is the cPanel username, example.com is the domain name, and emailuser is the email user's name.

    Next, you can do the following to check for any commands in SSH by running:

    Code:
    grep emailuser /root/.bash_history /home/*/.bash_history
    For emailuser do not put the full email address name but only the email user's name (so the emailuser@example.com is the full address, and do not use that full address, only put the emailuser part).

    Finally, if you aren't finding logs for /usr/local/cpanel/logs/access_log prior to the date you need, it's likely the log cleared or archived before that date (if you have WHM > cPanel Log Rotation Configuration set to archive the access_log, this would be why it would periodically clear). If the access_log was archived, you can go to /usr/local/cpanel/logs/archive/ and look for the access_log archives to see if any information is there.
     
Loading...

Share This Page