Find compromised email accounts Exim/cPanel

Generally, an email account which has been logged into multiple times, will point to one which has been compromised. To identify the number of logins to all email accounts on the system for a particular date, run the following command:

grep ^"2022-06-10.*dovecot_login:" /var/log/exim_mainlog | awk -F 'A=dovecot_login:' 'split($2, addr, / /) { print addr[1] }' | sort | uniq -c | sort -nr | head

Once you have a list of email accounts which logged in, along with the number of times they logged in, you can run the following command to determine what sort of content has been sent out:

grep ^"2022-06-10.*" /var/log/exim_mainlog | awk -v OFS='\t' -F 'A=dovecot_login:|T="' 'split($1, ts, / /) split($2, addr, / /) { print ts[2], addr[1], $NF }'