How come my WHM was accessed using root by one who doesn't have password?
My WHM has been accessed using root by our branch office in other country, they only have FTP's account and password, there's no any way for them to get root's password.
It happend once last month, and i already change root's password.
But my WHM sent an e-mail of WHM root access alert just few minutes ago.
Is there any possible for them to access WHM with their ftp password or what?
our branch office is using a different ip from us, and we don't have any VPN between us.
Last edited by frankhsu; 12-16-2009 at 02:18 AM.
There can be 2 things from what Ive observed:Originally Posted by frankhsu
1. You have a cached WHM where you didnt log out and your branch office was able to access the cached session
2. I observe that when one IP has successfully logged in to WHM and then an attempt to log in using the same IP was made even if it is not successful, WHM sends out an email that it has logged in the server as root. I dont know why such that so to check if they were really able to log in to the server, check your logs.
WHM does not send out an e-mail upon someone logging-in; the e-mail would have been generated by a non-stock modification or third-party software.
I recommend checking the following two log files and cross-referencing similar entries (e.g., those with a matching IP address) to help determine specific information about the login attempts and what, if anything, was accessed beyond the attempted login:
If using cPHulk the following log file may also be checked:Code:/usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/login_log
Code:/usr/local/cpanel/logs/cphulkd.log
cPResources: Submit a Support Request - Submit a Bug Report - Review existing Tickets-- Donald cPanelDon Holl - Analyst, cPanel Quality Assurance
LinkBack URL
About LinkBacks
Reply With Quote