77 user accounts mystery

kazar

• November 30, 2014 06:20

One domain on my server apparently had its Drupal installation exploited at some point and as soon as I can I will simply rebuild that whole website rather than try to find the injected script. Spams are being sent out by the domain owner account: domainowner@hostname I notice today in WHM that the same domain is shown as having 77 users. There are only 6 email addresses and 2 ftp accounts. I did check in ~/.cpanel/email_accounts.yaml and only the expected 6 email accounts are showing. This domain also hosts mailman lists but I would not think that subscribers to a mailman list are counted as "users".And there is one MySQL database user. But even if mailman subscribers and the MySQL user are counted, this would still only add up to a grand total of something like 30 email users, ftp users, MySQL users and mailman subscribers. Where might I look on the server for these 77 users? I am curious what this high number of users could be about, and whether the existence of these mysterious hidden users could have something to do with the exploit on the website. thanks in advance, kazar

• 

  kernow

  • November 30, 2014 11:29

  ] I notice today in WHM that the same domain is shown as having 77 users. kazar

  
  What does that mean? "77 users" where in WHM does it say the # of users? or are you referring to the # of Apache connections to that account?

  0
• 

  kazar

  • November 30, 2014 11:54

  ]What does that mean? "77 users" where in WHM does it say the # of users? or are you referring to the # of Apache connections to that account?

  
  Sorry for the lack of detail! It was in "Show IP Address Usage" in WHM, here is a screenshot: .vB

  0
• 

  kernow

  • November 30, 2014 16:11

  Its showing the domain has 77 mail accounts, I don't think its a result of any hack though. We have several servers and very few of the "Mail Usage Displays the number of email accounts that the associated domain hosts." are correct. Some show 6 accounts that actually have 23 and some show 23 that have only 4. /scripts/ipusage also shows the wrong info most of the time.

  0
• 

  cPanelMichael

  • December 01, 2014 19:21

  Hello :) You can try rebuilding the Apache configuration file via:
  /scripts/rebuildhttpdconf
  Also, review the passwd file in /home/$username/etc/$domain/ to see if any additional email accounts are listed there. Thank you.

  0
• 

  tonytran

  • December 02, 2014 02:09

  I have the same question?

  0
• 

  cPanelMichael

  • December 02, 2014 15:20

  ]I have the same question?

  
  Please review my previous post to this thread and let us know your response to it. Thank you.

  0

Please sign in to leave a comment.