Basic WebHost Manager® Setup - reset on its own

[amstel]

Hi,

I have migrated to the new server and restored cPanel backups.
Since then I have a weird problem with the Basic WebHost Manager® Setup.
Every couple of weeks or months the new WHM server resets Basic WebHost settings to the settings from the old server (contact information email and nameservers IP).

Please could you advise?

/etc/redhat-release:CentOS release 6.9 (Final)
/usr/local/cpanel/version:11.68.0.33
/var/cpanel/envtype:kvm
CPANEL=release v68.0.33

 

[cPanelMichael]

Hello,

The behavior you reported shouldn't happen unless someone with administrator access is manually restoring files, or if a third-party application is making changes. Is it possible you have a third-party application installed that's altering or restoring the /etc/wwwacct.conf file on the system?

Thank you.

 

[amstel]

Thank you for your quick reply.
I am with you, it should not happen as my other cPanel's servers works fine.
I have ClamAV and CSF but I do not think they could alter or restore /etc/wwwacct.conf file.

I am going to monitor this file with the linux demon audit:

/etc/audit/audit.rules

-w /etc/wwwacct.conf -p wa -k manager

 

[cPanelMichael]

I am going to monitor this file with the linux demon audit

That's a good idea. Feel free to let us know the outcome once it detects a change to the file.

 

[amstel]

I have detected the change to the file.

time->Wed Apr 11 10:22:19 2018
type=PATH msg=audit(1523438539.215:198): item=1 name="/etc/wwwacct.conf" inode=4071377 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
type=PATH msg=audit(1523438539.215:198): item=0 name="/etc/" inode=4063233 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
type=CWD msg=audit(1523438539.215:198):  cwd="/"
type=SYSCALL msg=audit(1523438539.215:198): arch=c000003e syscall=2 success=yes exit=3 a0=2b46eb0 a1=241 a2=1b6 a3=7f4a01aa5d90 items=2 ppid=3366 pid=3371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295

comm="cpanel.pl" exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key="manager"

Any thoughts?

 

[cPanelMichael]

time->Wed Apr 11 10:22:19 2018

Hello,

Do you happen to notice any particular output to the cPanel access log (/usr/local/cpanel/logs/access_log) around this time? Or, do you notice any activity around this time in the recent cPanel update log under the /var/cpanel/updatelogs/ directory?

Thank you.

 

[amstel]

Hi Michael,

/var/cpanel/updatelogs/update.*.log shows that /usr/local/cpanel/bin/dcpumon Added Contact [email protected]

[2018-04-10 04:58:04 +0100]   87% complete

[2018-04-10 04:58:04 +0100]    - Finished in 0.012 seconds

[2018-04-10 04:58:04 +0100]   Processing: Checking for new security advice

[2018-04-10 04:58:04 +0100]    - Processing command `/usr/local/cpanel/scripts/check_security_advice_changes --notify`

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/scripts/check_security_advice_changes] There are no changes to the Security Advisor state that require notification.

[2018-04-10 04:58:30 +0100]    - Finished command `/usr/local/cpanel/scripts/check_security_advice_changes --notify` in 25.364 seconds

[2018-04-10 04:58:30 +0100]   Processing: Running former postinstall scripts

[2018-04-10 04:58:30 +0100]    - Processing command `/usr/local/cpanel/bin/dcpumon --killproc`

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/BitchX.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/bnc.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/eggdrop.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/generic-sniffers.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/guardservices.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ircd.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/psyBNC.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ptlink.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/services.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Kill Proc Enabled

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Added Contact [email protected]

[2018-04-10 04:58:30 +0100]    - Finished command `/usr/local/cpanel/bin/dcpumon --killproc` in 0.508 seconds

[2018-04-10 04:58:30 +0100]   88% complete

 

[cPanelMichael]

Hello,

Can you verify if you have that email address configured as an email destination in "WHM >> Contact Manager" or as a forwarded destination email for "root" in "WHM >> Edit System Mail Preferences"?

Thank you.

 

[amstel]

Hi,

I am sorry I was not clear.

I have setup the Contact Manager address as [email protected] (that is the "correct" address I wish to use).

Today this address has been changed again to [email protected] in "WHM >> Contact Manager"
Also the DNS nameservers have been changed in the Basic WebHost Manager® Setup.

WHM >> Edit System Mail Preferences shows the correct address [email protected]

 

[cPanelMichael]

Hello,

Could you open a support ticket so we can take a closer look at the affected system?

Thank you.

 

[amstel]

Hi,

When I try to prepare server for cPanel support I get:

Error:WHM Authorization failed with the following error: The server detected that an SSH key for user “root” in Ticket ID “9430413” and Server “1” already exists. Run the following cPanel script and refresh your browser: /scripts/updatesupportauthorizations. You may skip this server or correct the problem and try again.

I run /scripts/updatesupportauthorizations and repeat the process but no joy.
I have clicked the next button and get the Support Request ID: 9430413

 

[cPanelMichael]

Hello @amstel,

I see the ticket was successfully opened. Please respond directly to the support ticket to note the error if /scripts/updatesupportauthorizations continues to fail.

Thank you.

 

[amstel]

The problem has been sorted out by your support.

/home/cpanel.pl
/home/cpanel.conf

 

[cPanelMichael]

/home/cpanel.pl
/home/cpanel.conf

I'm glad to see the source of the change was found. Thank you for updating this thread with the outcome. For anyone else seeing this thread, note these are third-party scripts and are not files provided as part of cPanel & WHM.

Thank you.