If a user's password was changed via cPanel, the password change action will be logged in cPanel's access log.
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Grep the
changepasand the cPanel username.
[root@server ~]cPs# grep changepass /usr/local/cpanel/logs/access_log|grep $cpusername|grep POSTPlease note that "$cpusername" must be replaced with the cPanel user's username.
203.0.113.2 - cpusername [05/04/2023:14:11:52 -0000] "POST /cpsess8811443411/frontend/jupiter/passwd/changepass.html HTTP/1.1" 200 0 "https://domain.tld:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0" "s" "-" 2083
If a user changed their password using the Linux shell, the change would not be logged in the access logs. This may instead be present in the user's