Can I determine when an email account have been created?

Operating System & Version
Almalinux 8
cPanel & WHM Version
108

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,354
79
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hello guys, I have an account with hundreds of email addresses and some seem to be fake ones, created during an Anonymous Fox infection.
I need a command to know when every email account have been created, no matter if it's a log or reading the folder timestamp. Is there any way I can achieve this?
 

xpy-xpy

Well-Known Member
Jan 13, 2023
48
28
18
GE
cPanel Access Level
Root Administrator
AFAIK there are no such logs in Cpanel. I would start by grepping "add_pop" together with Cpanel account username in Cpanel's access_log

Names of the created mailboxes are not logged, but at least you may be able to find the IPs, user agents and time ranges of the infection activity, as well as the number of recently created addresses.

Then I would write a script to compare the acquired time range data with the timestamps of mailbox files that are unlikely to have been modified since creation such as maildirsize.

Finally, if the results give no reason to doubt, still double-check everything and delete the addresses from the list using UAPI.

Having more detailed logs would have made things much easier, of course..
 

quietFinn

Well-Known Member
Feb 4, 2006
2,041
551
493
Finland
cPanel Access Level
Root Administrator
Hello guys, I have an account with hundreds of email addresses and some seem to be fake ones, created during an Anonymous Fox infection.
I need a command to know when every email account have been created, no matter if it's a log or reading the folder timestamp. Is there any way I can achieve this?
Look in /home/USERNAME/mail folder, you see links to the mailboxes, like .user@domain_ext (starting with a dot) -> domain.ext/username
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,588
2,614
363
cPanel Access Level
Root Administrator
I like the "add_pop" recommendation above.

Whenever I want to find something that could have happened in the interface, I always recreate the action while running "tail -f /usr/local/cpanel/logs/access_log" so I have an idea what I'm looking for. Then, I can use that output to grep the log for previous entries of similar instances of the action performed in the interface.
 
  • Like
Reactions: Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,354
79
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Look in /home/USERNAME/mail folder, you see links to the mailboxes, like .user@domain_ext (starting with a dot) -> domain.ext/username
Hello guys, thanks for the answers. As I'm using maildir, this solution fit in. I double checked it with several accounts, created nearly 10 years ago and the date of modification is truly reliable, Unless someone from cPanel add trustworthy data, I will work with this. Thanks!
 
  • Like
Reactions: cPRex

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,354
79
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
I like the "add_pop" recommendation above.

Whenever I want to find something that could have happened in the interface, I always recreate the action while running "tail -f /usr/local/cpanel/logs/access_log" so I have an idea what I'm looking for. Then, I can use that output to grep the log for previous entries of similar instances of the action performed in the interface.
Yep, that will work on a regular account for sure.
But the Anonymous F***ing Fox malware just create the folders from within a PHP script running inconspicuously. It won't execute cPanel API nor leave any trackable logs. But there is one thing they cannot do, and it's changing the timestamp of files outside public_html. AND THAT IS the only way to know exactly what files have the malware altered in a compromised account.
 
  • Like
Reactions: cPRex

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,354
79
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
In the other hand, this is a REALLY SERIOUS bug on the cPanel side: it shouldn't be that simple as manually creating the right files and folders without any API validation, to obtain a working email account. And no, this last paragraph shouldn't require a Feature Request :) Anonymous Fox malware IS the most spread exploit running in the wild, proving that cPanel can be hacked thanks to vulnerable scripts within the account.
Thus, it should be fixed asap.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,588
2,614
363
cPanel Access Level
Root Administrator
When it comes down to it, isn't *everything* on a server the right combination of files and folders? If someone creates them in the right areas with the right permissions and the right content, who is to say it's not valid? Everything is just read from configuration files anyway, so I'm not entirely sure how you'd get around that.

It's important to note that Anonymous Fox isn't a vulnerability in cPanel software, as the code has to get uploaded to the user account through some other way (usually WordPress) before the attack can begin: https://support.cpanel.net/hc/en-us...hat-is-the-anonymousfox-address-on-my-system-
 
  • Like
Reactions: Kent Brockman