Someone is deleting Email Account

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Someone is deleting Email Account i don't know how it is being done, whether it is being done by any kind of malware, trojan scrips or by human being.

whatever it is, but is deleting only 1 email account and which is main email id of the cPanel Account Holder.

how to find out this issue & also how to find out who & when deleted email account.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You can check the access logs for logins for that account at /usr/local/cpanel/logs/access_log location:

Code:
grep emailuser /usr/local/cpanel/logs/access_log
When you mention this is the main email account being removed, do you mean the cPanel username account? If so, is the folder itself missing at /home/user/mail/ location? You might want to check the FTP logs, since these folders can be removed using FTP:

Code:
grep emailuser /var/log/messages
Thanks.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Hi Tristan,

thank you for replying

When you mention this is the main email account being removed, do you mean the cPanel username account?
>> No, I meant that it is owners mail id not cPanel username account

I ran
grep [email protected] /usr/local/cpanel/logs/access_log

the shows logs after 02/26/2011 i want before the date

Secondly
grep [email protected] /var/log/messages

doesn't give any output.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You need to run the command for /var/log/messages as just the email user's name not the full email address. If they removed the folder via FTP, the folder isn't named [email protected] but emailuser at the path /home/username/mail/example.com/emailuser so you'll never get a return for the grep you performed. In the path I noted, username is the cPanel username, example.com is the domain name, and emailuser is the email user's name.

Next, you can do the following to check for any commands in SSH by running:

Code:
grep emailuser /root/.bash_history /home/*/.bash_history
For emailuser do not put the full email address name but only the email user's name (so the [email protected] is the full address, and do not use that full address, only put the emailuser part).

Finally, if you aren't finding logs for /usr/local/cpanel/logs/access_log prior to the date you need, it's likely the log cleared or archived before that date (if you have WHM > cPanel Log Rotation Configuration set to archive the access_log, this would be why it would periodically clear). If the access_log was archived, you can go to /usr/local/cpanel/logs/archive/ and look for the access_log archives to see if any information is there.