History / log of password change for an email account ?

Markif

• August 26, 2020 10:56

Hello Is there a log of password changes for an email box somewhere? Use case: A consumer claims their password has been changed (but probably got it wrong), but how do you verify or prove that they haven't? Or how to tell him - if it is the case - on what date / time it happened and which user was in session from which IP. Of course, it's not about knowing the new password, but just finding a trace of a change. Thanks for your help

• 

  cPanelLauren

  • August 27, 2020 22:53

  The cPanel access logs would have logs for any access made to a cPanel service including password changes. It stores this information in GET and POST requests and may not always indicate that the action taken was a password change though. You can find the access logs at /usr/local/cpanel/logs/access_log
  

  0
• 

  kodeslogic

  • August 28, 2020 00:08

  @Markif When you see below lines together with one after another in /usr/local/cpanel/logs/access_log
  there is most chances that for some email account of cPanel user "UserAccount" password modification was done. xx.xx.x.xxx - UserAccount [08/28/2020:00:01:05 -0000] "POST /cpsess6183611895/backend/passwordstrength.cgi HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083 xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/enable_mailbox_autocreate HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083 xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/passwd_pop HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083 xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
  

  0

Please sign in to leave a comment.