Symptoms
Email accounts are missing in the cPanel interface, and the domain's passwd and shadow files were modified without your knowledge.
Description
After a website becomes compromised, hackers can run arbitrary PHP code as the cPanel user. Then they can use malicious scripts to reset the email-account passwords for the affected users and many other actions.
The following article provides guidance on what to do when an account is compromised. Please also change any account passwords once the account has been restored.
What can be done if a cPanel account is compromised?
If you don't have a backup, then in some rare cases, you may be able to recover the shadow passwords from a backup file a malicious script made.
Workaround
In the following examples, $user is the cPanel username, and domain.tld is the name of the domain name you're working with.
cPanel's script acctinfo can detect a few versions of this exploit:
How to use acctinfo to troubleshoot issues
1. Set the acctinfo alias:
alias acctinfo='/usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/cPanelInc/tech-acctinfo/master/acctinfo)'
2. Run acctinfo with the mail flag, which initiates multiple checks relating to email for an account:
acctinfo --mail $user
If you see either of the following outputs:
\_ [WARN] - Found evidence of the AnonymousF0x/smtpF0x hack in the following:
\_ /home/$user/etc/domain.tld/shadow
\_ [WARN] - Possible variant of the shadow.roottn.bak hack found in /home/$user/etc/domain.tld/
\_ /home/$user/etc/domain.tld/shadow.roottn.bak
You may be affected by a site compromise that modifies the domain's passwd and shadow files.
Please note this method to check for affected domains is only a partial way to check for accounts affected by this type of compromise. The above method of detecting affected domains is a pattern we have observed. This is also not a substitute for cleaning the site that initially caused this issue. Any further detailed investigations into the root cause issue would be best handled by a security expert or systems administrator. Any affected cPanel accounts are still compromised and must be restored from a known clean backup. Otherwise, the attacker can move the shadow files back out of the way or damage or deface the site.
If the malicious script made a backup of your shadow file, we have seen this in the cases where the /home/$user/etc/domain.tld/shadow.roottn.bak file exists. This file can be copied to restore it to the previous version after making a backup of the shadow file:
mv -vi /home/$user/etc/domain.tld/shadow /home/$user/etc/domain.tld/shadow.bak
cp -vi /home/$user/etc/domain.tld/shadow.roottn.bak /home/$user/etc/domain.tld/shadow
Further details about restoring shadow and passwd files are explained in the following article: