Help! An account is gone and I don't know where! I need to know how and why it was deleted.
Procedure
First, check if you have backups enabled
You can always restore an account backup if a cPanel account or an email account goes missing, but you might want to review logs and do your analysis first.
What can be done when files go missing from a cPanel account?
Next, review some logs
There are some relevant logs that you should review, however this isn't foolproof.
- /usr/local/cpanel/logs/access_log
- You'll want to look for these API calls
- removeacct - for individually removed cPanel accounts
- multikillacct - for multiple cPanel accounts removed simultaneously
- delete_pop - for removed email accounts
- You'll want to look for these API calls
- /home/cpanelusername/.bash_history and /root/.bash_history
- Look for things like: rm, deluser
- /var/log/messages
- Look for FTP logs
- /var/log/secure
- This will contain SSH login information
- /home/cpanelusername/.lastlogin
- This contains the IP addresses of recent logins for the user
For email, check for site level compromises
WordPress and other CMS's are often targeted for their widespread install-base. Results of automated attacks can result in email accounts seemingly disappearing.
Suddenly missing email accounts and not able to recreate them
Comments
0 comments
Article is closed for comments.