Wednesday, November 12, 2025
Latest:
CpanelLinuxSecurity

How to find details on the deletion of an account in cpanel?

limitedusr

Deletion of an account in cpanel server is unfortunate event and if cpanel user account for deleted what are the logs to be check in server. Below is the few details and procedure to be follow for deletion of an account.

deletion of an account

First, check if you have backups enabled

You can always restore an account backup if a cPanel account or an email account goes missing, but you might want to review logs and do your analysis first.

Next, review some logs for deletion of an account

There are some relevant logs that you should review, however this isn’t foolproof.

  • /usr/local/cpanel/logs/access_log
    • You’ll want to look for these API calls
      • removeacct – for removed cPanel accounts
      • delete_pop – for removed email accounts
  • /home/cpanelusername/.bash_history and /root/.bash_history
    • Look for things like: rm, deluser
  • /var/log/messages
    • Look for FTP logs
  • /var/log/secure
    • This will contain SSH login information
  • /home/cpanelusername/.lastlogin
    • This contains the IP addresses of recent logins for the user

What can be done when files go missing from a cPanel account?

If files have gone missing from a cPanel account you have the following options:

  • Restore from a backup.
  • Review some of the logs on the server to see if you can find clues about the issue.
  • Hire a security professional to investigate a potential compromise.
  • Hire a data recovery professional to attempt to recover the files.

If you want to hire a security professional to investigate the issue, do not restore a backup or make any modifications to the files on the account.

No matter what, be sure to reset the password on the account as soon as possible.

If you would like to attempt to review some of the logs in your own investigation you may consider checking the following:

  • /var/log/secure – This log contains SSH login information.
  • /var/log/messages – This log often contains FTP logs.
  • /usr/local/cpanel/logs/access_log – This contains logs relevant to File Manager and cPanel.
  • /home/cpanelusername/.bash_history – This is the user’s bash history if shell access is enabled.
  • /home/cpanelusername/.lastlogin – This contains the IP addresses of recent logins for the user.

Above logs will helpful to find details of deletion of an account in cPanel server.

In order to configure and download raw access logs in cpanel click this link.

You May Also Like

How to Secure Your Apache Web Servers

limitedusr

How to Install Caddy Web Server to Host a Website on CentOS 7

limitedusr

Fix: mysqli_sql_exception too many connections

limitedusr