Can I determine when an email account have been created?

[Kent Brockman]

Hello guys, I have an account with hundreds of email addresses and some seem to be fake ones, created during an Anonymous Fox infection.
I need a command to know when every email account have been created, no matter if it's a log or reading the folder timestamp. Is there any way I can achieve this?

 

[xpy-xpy]

AFAIK there are no such logs in Cpanel. I would start by grepping "add_pop" together with Cpanel account username in Cpanel's access_log

Names of the created mailboxes are not logged, but at least you may be able to find the IPs, user agents and time ranges of the infection activity, as well as the number of recently created addresses.

Then I would write a script to compare the acquired time range data with the timestamps of mailbox files that are unlikely to have been modified since creation such as maildirsize.

Finally, if the results give no reason to doubt, still double-check everything and delete the addresses from the list using UAPI.

Having more detailed logs would have made things much easier, of course..

 

[quietFinn]

Hello guys, I have an account with hundreds of email addresses and some seem to be fake ones, created during an Anonymous Fox infection.
I need a command to know when every email account have been created, no matter if it's a log or reading the folder timestamp. Is there any way I can achieve this?

Look in /home/USERNAME/mail folder, you see links to the mailboxes, like [email protected]_ext (starting with a dot) -> domain.ext/username

 

[xpy-xpy]

Look in /home/USERNAME/mail folder, you see links to the mailboxes, like [email protected]_ext (starting with a dot) -> domain.ext/username

Will not work for mdbox mailboxes, though. Only for maildir.

 

[cPRex]

I like the "add_pop" recommendation above.

Whenever I want to find something that could have happened in the interface, I always recreate the action while running "tail -f /usr/local/cpanel/logs/access_log" so I have an idea what I'm looking for. Then, I can use that output to grep the log for previous entries of similar instances of the action performed in the interface.

 

[Kent Brockman]

Look in /home/USERNAME/mail folder, you see links to the mailboxes, like [email protected]_ext (starting with a dot) -> domain.ext/username

Hello guys, thanks for the answers. As I'm using maildir, this solution fit in. I double checked it with several accounts, created nearly 10 years ago and the date of modification is truly reliable, Unless someone from cPanel add trustworthy data, I will work with this. Thanks!

 

[Kent Brockman]

I like the "add_pop" recommendation above.

Whenever I want to find something that could have happened in the interface, I always recreate the action while running "tail -f /usr/local/cpanel/logs/access_log" so I have an idea what I'm looking for. Then, I can use that output to grep the log for previous entries of similar instances of the action performed in the interface.

Yep, that will work on a regular account for sure.
But the Anonymous F***ing Fox malware just create the folders from within a PHP script running inconspicuously. It won't execute cPanel API nor leave any trackable logs. But there is one thing they cannot do, and it's changing the timestamp of files outside public_html. AND THAT IS the only way to know exactly what files have the malware altered in a compromised account.

 

[Kent Brockman]

In the other hand, this is a REALLY SERIOUS bug on the cPanel side: it shouldn't be that simple as manually creating the right files and folders without any API validation, to obtain a working email account. And no, this last paragraph shouldn't require a Feature Request Anonymous Fox malware IS the most spread exploit running in the wild, proving that cPanel can be hacked thanks to vulnerable scripts within the account.
Thus, it should be fixed asap.

 

[cPRex]

When it comes down to it, isn't *everything* on a server the right combination of files and folders? If someone creates them in the right areas with the right permissions and the right content, who is to say it's not valid? Everything is just read from configuration files anyway, so I'm not entirely sure how you'd get around that.

It's important to note that Anonymous Fox isn't a vulnerability in cPanel software, as the code has to get uploaded to the user account through some other way (usually WordPress) before the attack can begin: https://support.cpanel.net/hc/en-us...hat-is-the-anonymousfox-address-on-my-system-