Symptoms
Under the Email Accounts interface in cPanel, the list of email accounts displayed may be completely missing for an entire domain, or only a single or a few addresses will display.
Furthermore, any attempts to recreate the missing accounts results in an error stating the accounts already exists.
Description
The problem is not caused by the cPanel software rather by a malicious script that is responsible for changing the user's passwords or creating new users.
Any further detailed investigations into this issue would be best handled by a security expert or systems administrator.
The most common variant of this malicious script is hosted in this Github repository. However, many variations of this script exist.
This is a user-level compromise that affects users when their website becomes compromised and allows attackers to run arbitrary PHP code as the cPanel user. This most commonly affects users which are using outdated software, themes and plugins from a CMS (i.e. WordPress, Joomla, Magento etc..). Or have similar vulnerabilities in their websites that can allow arbitrary code execution at the user-level.
A common trace of these compromises is a file that the script leaves behind when modifying the email passwords:
shadow.roottn.bak
To locate the accounts that are affected in a server run the following command as the root user:
perl <(find2perl /home/*/etc/*/shadow\.* -print )
If you have users that are affected by this, the output will look similar to this:
[root@the ~]$ perl <(find2perl /home/*/etc/*/shadow\.* -print )
/home/cptech/etc/domain.com/shadow.roottn.bak
/home/cptech/etc/domain2.com/shadow.roottn.bak
/home/cptech/etc/domain3.com/shadow.roottn.bak
/home/cpuser2/etc/domain4.com/shadow.roottn.bak
/home/cpuser3/etc/domain4.com/shadow.roottn.bak
Workaround
The users displayed in the output have been compromised in some fashion, as such, the recommended method to address this is by restoring the account from a previously known clean backup. The following article provides guidance on what to do when an account has been found to have been compromised. Please be sure to also change any account passwords once the account has been restored.
If you don't have a backup, then in some rare cases, you may be able to recover the shadow passwords from the backup file that the above script sometimes makes.
Please note that these accounts are still compromised and need to be cleaned. Otherwise, the attacker can simply move the shadow files back out of the way or do other damage or defacement to the site.
To attempt this, you may follow these steps: (Be sure to replace user & domain with the actual cPanel username and the domain name.)
Creating a backup of the files
user=cPanelUsername ; domain=domainname.tld ; mkdir -p /root/cptechs/$user/$domain ; mv -v /home/$user/etc/$domain/shadow /root/cptechs/$user/$domain
Restoring the old shadow file
user=cPanelUsername ; domain=domainname.tld ; mv -v /home/$user/etc/$domain/shadow.roottn.bak /home/$user/etc/$domain/shadow
Clearing the cPanel and Dovecot cache
user=cPanelUsername ; domain=domainname.tld ; mv -v /home/$user/.cpanel/email_accounts_count{,.cPbkp} ; mv -v /home/$user/.cpanel/email_accounts.json{,.cPbkp}
doveadm auth cache flush