someone logged into WHM via root and it wasn't me.

[betoranaldi]

I got an lfd alert late last night that someone logged into WHM with root access late last night.

Everything seems in order but is there anyway I can tell (by looking in logs, etc.) if anything was changed?

[Infopro]

You might start by checking the exact time on the email against the time of night cpupdates run.
(and of course change your password just to be sure you're locked down well)

[betoranaldi]

Sorry for the foolish question but how do I find out what time cpupdates runs? Is that a setting somewhere?

The first thing I did was change my password

[DolphinEcho]

In the email from LFD there should of been an IP address, have you checked the location and then take it from there. You can check an IP location and somewhere like DNSstuff

Was your old password an easy to guess one ?
Do you know if they did anything like delete or add an account ?

how do I find out what time cpupdates runs?

I presume they was referring to UPCP. When UPCP runs on my server, I normally get an email once it finished.

[betoranaldi]

The first thing I checked was the location of the IP address. It showed up as being only a town away from where I am located.

Doing a search with DNSstuff just now revealed that it actually occurred from my place of employment (very interesting since I was defiantly at home when the "breach" occurred.)

My password was very secure and I change it ever other month.

With the additional information I received with DNSstuff I feel a little better about the whole thing.

It will still be nice if I could figure out if anything major was done. There are no additional accounts or services added. and my SSH password auth remained off. Is there a way I can clear all keys for ssh?

[logicsupport]

Hi ,

1) First you need to change the root password.

2) Check the logs thoroughly .

3) Scan the server using latest scanning tools.

4) Try to find out what all things that guy did.

Hope that you have disabled direct root login in the server.

[betoranaldi]

Yes, direct root login has been disabled.

I still need to skim through the logs, do you have any suggestions where I should start to look first?

I work for a rather large company so I am leaning to believe that it was just an IT guy fooling around and just seeing if it would actually work. They do monitor network traffic/computer usage at the office.

[Janak]

I think you should probably look into cPanel access logs. The location of cPanel logs would be /usr/local/cPanel/logs/access_log

Thanks!

[cPanelDavidG]

I think you should probably look into cPanel access logs. The location of cPanel logs would be /usr/local/cPanel/logs/access_log

Thanks!

Actually cpanel is entirely lowercase in that path .

[betoranaldi]

Actually cpanel is entirely lowercase in that path .

Yes it is

After looking through the rather large (166mb) access_log file. I don't see any access at the time, from the ip that the email had indicated.

I didn't get any shell login notifications and no new accounts were created.

Could it be just a fluke?

Thanks
Brian

[cPanelDavidG]

Yes it is

After looking through the rather large (166mb) access_log file. I don't see any access at the time, from the ip that the email had indicated.

I didn't get any shell login notifications and no new accounts were created.

Could it be just a fluke?

Thanks
Brian

Might be best to ask the folks who make lfd if it is a fluke: ConfigServer Services