The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any idea what this means?

Discussion in 'Security' started by lblanchardiii, Oct 21, 2011.

  1. lblanchardiii

    lblanchardiii Well-Known Member

    Joined:
    Nov 20, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Got these messages in my log, anyone got any idea what it means?

    Code:
     --------------------- Connections (secure-log) Begin ------------------------
    
    
     **Unmatched Entries**
       Cp-Wrap: CP-Wrapper terminated without error : 655 Time(s)
       Cp-Wrap: Pushing "527 ADD hack XXXXXXXXXXXXXXXXXXX 0 /home/uploadu/uploads/public_html/hack " to '/usr/local/cpanel/bin/domainadmin' for UID: 527 : 2 Time(s)
       Cp-Wrap: Pushing "527 ADD mrhack XXXXXXXXXXXXXXXXXXX 0 /home/uploadu/uploads/public_html/mrhack " to '/usr/local/cpanel/bin/domainadmin' for UID: 527 : 5 Time(s)
       Cp-Wrap: Pushing "527 ADD mrhack.com XXXXXXXXXXXXXXXXXXX 0 /home/uploadu/uploads/public_html/mrhack.com " to '/usr/local/cpanel/bin/domainadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADD mrhack.upload.ut-files.com X" to '/usr/local/cpanel/bin/parkadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADD mrhack.upload.ut-files.com XXXXXXXXXXXXXXXXXXXXXXXXXX 0 /home/uploadu/uploads/public_html/mrhack.upload.ut-files.com " to '/usr/local/cpanel/bin/domainadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDDB 398 " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 3 Time(s)
       Cp-Wrap: Pushing "527 ADDDB 398" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDDB fel " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDDB mrhack" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDHOST uploadu XXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDHOST uploadu XXXXXXXXXXXXXXXXXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDUSER 398 XXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDUSER mrhack XXXXXXXXXXX" to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDUSER mrhack2 XXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDUSERDB uploadu_398 XXXXXXXXXXX ALTER,CREATEROUTINE,TEMPORARY,CREATE,DELETE,DROP,SELECT,INSERT,UPDATE,REFERENCES,INDEX,LOCK,ALL" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 ADDUSERDB uploadu_mrhack XXXXXXXXXXXXXXX ALTER,CREATEROUTINE,TEMPORARY,CREATE,DELETE,DROP,SELECT,INSERT,UPDATE,REFERENCES,INDEX,LOCK,ALL" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 CHANGEPASSWD 0590888141 " to '/usr/local/cpanel/bin/securityadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 CHECKDB uploadu_398" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 DBCACHE " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 14 Time(s)
       Cp-Wrap: Pushing "527 DBCACHE" to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 8 Time(s)
       Cp-Wrap: Pushing "527 DELHOST uploadu mrhack" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 FETCHTYPES 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 527 : 91 Time(s)
       Cp-Wrap: Pushing "527 GETDOMAINIP upload.ut-files.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 527 : 47 Time(s)
       Cp-Wrap: Pushing "527 ISREMOTE " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 14 Time(s)
       Cp-Wrap: Pushing "527 LISTDBS " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 77 Time(s)
       Cp-Wrap: Pushing "527 LISTDBSWITHSPACE " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 61 Time(s)
       Cp-Wrap: Pushing "527 LISTDBSWITHSPACE " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 8 Time(s)
       Cp-Wrap: Pushing "527 LISTHOSTS " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 7 Time(s)
       Cp-Wrap: Pushing "527 LISTMULTIPARKED 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 527 : 101 Time(s)
       Cp-Wrap: Pushing "527 LISTPRIVS uploadu_398 localhost uploadu_398 " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 LISTPRIVS uploadu_mrhack2 localhost uploadu_mrhack " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 LISTSTORE 0 0 " to '/usr/local/cpanel/bin/ftpadmin' for UID: 527 : 47 Time(s)
       Cp-Wrap: Pushing "527 LISTSUBDOMAINS 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 527 : 113 Time(s)
       Cp-Wrap: Pushing "527 LISTUSERS " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 16 Time(s)
       Cp-Wrap: Pushing "527 REFRESH 0 0 " to '/usr/local/cpanel/bin/ftpadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 REPAIRDB uploadu_398" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 UPDATECONTACTINFO 0 " to '/usr/local/cpanel/bin/reselleradmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 UPDATEPRIVS " to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 UPDATEPRIVS " to '/usr/local/cpanel/bin/postgresadmin' for UID: 527 : 1 Time(s)
       Cp-Wrap: Pushing "527 UPDATEPRIVS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 19 Time(s)
       Cp-Wrap: Pushing "527 VERSION" to '/usr/local/cpanel/bin/mysqladmin' for UID: 527 : 2 Time(s)
    
     ---------------------- Connections (secure-log) End -------------------------
     
  2. gnutoolbox

    gnutoolbox Member

    Joined:
    Sep 25, 2011
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  3. lblanchardiii

    lblanchardiii Well-Known Member

    Joined:
    Nov 20, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    This doesn't look like something that I need to just ignore. When I log into the FTP's cPanel account that is mentioned in those logs, I see sub domains that are mentioned in those logs as well, but they do not seem to resolve when I go to them. Also the two database users and database names that are mentioned in the logs are indeed in MySQL. I did not put them there, so something is going on and I don't think it needs to just be "ignored" ...
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Please submit a ticket if you suspect some type of compromise to the system, especially since some of the names have "hack" in them. You can submit a ticket either in WHM > Support Center > Contact cPanel or using the link in my signature.
     
  5. lblanchardiii

    lblanchardiii Well-Known Member

    Joined:
    Nov 20, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Ticket submitted.
     
Loading...

Share This Page