Hi,
I come here at the end of what I guess you could call forensic analysis to triple check that I haven't got any other security issues which could affect what I saw yesterday. So, if you like, as a last resort, to see if there's anyone who can help shed some light on this.
Back in January I had a newly provisioned server which I was moving some existing sites to. To start with I gave it the hostname (changed from real for privacy) 'host.domain1.com'. After quite a bit of tinkering, I decided I wanted it to be a different host and domain so changed it, before transferring any of the sites or making any of the sites visible on the internet. The 'host.domain1.com' has never been referenced anywhere and is not particularly guessable, and the DNS A record for it did not 'leak out' to my knowledge as a valid host.
So fast forward to yesterday after 10 months of using the different hostname and having no security issues and I received an lfd alert for WHM root logins, and curiously they were trying from this original 'host.domain1.com'. This is the log entry for what happened (IP details/host details redacted):
123.234.x.x - - [11/13/2012:17:51:16 -0000] "GET / HTTP/1.1" 401 0 "https://totally.differenthost.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:16 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:16 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:17 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:17 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
They weren't successful getting in (the root password is routinely changed anyway, and I have no idea if they were just using a dictionary attack before being blocked, or had the original password). They didn't try again from a different IP.
The oddness is that they didn't load any images, css etc - that is literally all there is, and it is the first ever root attempt I have witnessed (ssh is firewalled out since day one, so WHM is the only way to get in that way).
I have painstakingly gone through the entire 40MB Cpanel access log from day 1 and can account for every single IP address hit up until this one yesterday.
The issue I have isn't that someone's trying to get in - I expect the occasional bot - but that they had the 'host.domain1.com' address, and weirdly, seemingly seemed to arrive through a totally unrelated host (the totally.differenthost.com in the first line of the log) - different country, hosting company, etc... but I have verified it does also present a WHM login screen.
Is there any way by just POSTING to /login they could get some form of host information from the server, some of which may be historical? It's clearly not a regular browser hitting it because of the lack of loading anything other than POSTing to /login.
I'm slightly tearing my hair out over this. It would have been fine if they'd used the current host name, as I'd understand that may have been seen in the wild (email headers etc), but this original hostname just isn't known and was never shared/used in the wild.
Any ideas would be very welcome!
Thanks!
I come here at the end of what I guess you could call forensic analysis to triple check that I haven't got any other security issues which could affect what I saw yesterday. So, if you like, as a last resort, to see if there's anyone who can help shed some light on this.
Back in January I had a newly provisioned server which I was moving some existing sites to. To start with I gave it the hostname (changed from real for privacy) 'host.domain1.com'. After quite a bit of tinkering, I decided I wanted it to be a different host and domain so changed it, before transferring any of the sites or making any of the sites visible on the internet. The 'host.domain1.com' has never been referenced anywhere and is not particularly guessable, and the DNS A record for it did not 'leak out' to my knowledge as a valid host.
So fast forward to yesterday after 10 months of using the different hostname and having no security issues and I received an lfd alert for WHM root logins, and curiously they were trying from this original 'host.domain1.com'. This is the log entry for what happened (IP details/host details redacted):
123.234.x.x - - [11/13/2012:17:51:16 -0000] "GET / HTTP/1.1" 401 0 "https://totally.differenthost.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:16 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:16 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:17 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:17 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - - [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 301 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
123.234.x.x - root [11/13/2012:17:51:25 -0000] "POST /login/ HTTP/1.1" 401 0 "https://host.domain1.com:2087" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2"
They weren't successful getting in (the root password is routinely changed anyway, and I have no idea if they were just using a dictionary attack before being blocked, or had the original password). They didn't try again from a different IP.
The oddness is that they didn't load any images, css etc - that is literally all there is, and it is the first ever root attempt I have witnessed (ssh is firewalled out since day one, so WHM is the only way to get in that way).
I have painstakingly gone through the entire 40MB Cpanel access log from day 1 and can account for every single IP address hit up until this one yesterday.
The issue I have isn't that someone's trying to get in - I expect the occasional bot - but that they had the 'host.domain1.com' address, and weirdly, seemingly seemed to arrive through a totally unrelated host (the totally.differenthost.com in the first line of the log) - different country, hosting company, etc... but I have verified it does also present a WHM login screen.
Is there any way by just POSTING to /login they could get some form of host information from the server, some of which may be historical? It's clearly not a regular browser hitting it because of the lack of loading anything other than POSTing to /login.
I'm slightly tearing my hair out over this. It would have been fine if they'd used the current host name, as I'd understand that may have been seen in the wild (email headers etc), but this original hostname just isn't known and was never shared/used in the wild.
Any ideas would be very welcome!
Thanks!
Last edited:
