Access denied "GET /xml-api/listaccts"

kernow

Well-Known Member
Jul 23, 2004
995
42
178
cPanel Access Level
Root Administrator
One of our servers in our cluster is suddenly reporting login attempt errors from one of our servers:
GET /xml-api/listaccts HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
GET /xml-api/showbw HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
GET /xml-api/resellerstats?reseller=name HTTP/1.1" FAILED LOGIN whostmgrd: user password
The cluster is set up only for DNS so what script would be requesting login for list accounts / reseller stats?
(its odd that access would be denied anyway as the DNS cluster is working OK)
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Do you have cPHulk brute force detection enabled on the DNS-Only machine? If so, check to see if the hosting server has been locked out by cPhulkd.

Thank you.
 

kernow

Well-Known Member
Jul 23, 2004
995
42
178
cPanel Access Level
Root Administrator
Hi,
Sorry, I didn't explain properly, there is no DNS only machine, I mean't that the cluster is only for syncing DNS records between servers, as we understand it there is no other purpose for the cluster is there?. The cluster is working OK. No, we don't use cPHulk.
The errors are coming from CSF log and the server attempting login isn't locked out despite the connection refused message. What I don't understand is what script on the server would request info on resellerstats on a remote server?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Do you have any third-party applications (e.g. billing) on the cPanel server that is making the connection which could be requesting the account list or to view reseller statistics?

Thank you.
 

kernow

Well-Known Member
Jul 23, 2004
995
42
178
cPanel Access Level
Root Administrator
Do you have any third-party applications (e.g. billing) on the cPanel server that is making the connection which could be requesting the account list or to view reseller statistics?

Thank you.
Hi,
Thanks for the suggestion, yes it turned out to be WHMCS cron job. Haven't figured out why it gets connection refused yet, but we know where to look now. Thanks.