Basic WebHost Manager® Setup - reset on its own

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
Hi,

I have migrated to the new server and restored cPanel backups.
Since then I have a weird problem with the Basic WebHost Manager® Setup.
Every couple of weeks or months the new WHM server resets Basic WebHost settings to the settings from the old server (contact information email and nameservers IP).

Please could you advise?

/etc/redhat-release:CentOS release 6.9 (Final)
/usr/local/cpanel/version:11.68.0.33
/var/cpanel/envtype:kvm
CPANEL=release v68.0.33
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

The behavior you reported shouldn't happen unless someone with administrator access is manually restoring files, or if a third-party application is making changes. Is it possible you have a third-party application installed that's altering or restoring the /etc/wwwacct.conf file on the system?

Thank you.
 

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
Thank you for your quick reply.
I am with you, it should not happen as my other cPanel's servers works fine.
I have ClamAV and CSF but I do not think they could alter or restore /etc/wwwacct.conf file.

I am going to monitor this file with the linux demon audit:

Code:
/etc/audit/audit.rules

-w /etc/wwwacct.conf -p wa -k manager
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
I am going to monitor this file with the linux demon audit
That's a good idea. Feel free to let us know the outcome once it detects a change to the file.
 

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
I have detected the change to the file.

Code:
time->Wed Apr 11 10:22:19 2018
type=PATH msg=audit(1523438539.215:198): item=1 name="/etc/wwwacct.conf" inode=4071377 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
type=PATH msg=audit(1523438539.215:198): item=0 name="/etc/" inode=4063233 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
type=CWD msg=audit(1523438539.215:198):  cwd="/"
type=SYSCALL msg=audit(1523438539.215:198): arch=c000003e syscall=2 success=yes exit=3 a0=2b46eb0 a1=241 a2=1b6 a3=7f4a01aa5d90 items=2 ppid=3366 pid=3371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295

comm="cpanel.pl" exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key="manager"
Any thoughts?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
time->Wed Apr 11 10:22:19 2018
Hello,

Do you happen to notice any particular output to the cPanel access log (/usr/local/cpanel/logs/access_log) around this time? Or, do you notice any activity around this time in the recent cPanel update log under the /var/cpanel/updatelogs/ directory?

Thank you.
 

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
Hi Michael,

/var/cpanel/updatelogs/update.*.log shows that /usr/local/cpanel/bin/dcpumon Added Contact [email protected]

Code:
[2018-04-10 04:58:04 +0100]   87% complete

[2018-04-10 04:58:04 +0100]    - Finished in 0.012 seconds

[2018-04-10 04:58:04 +0100]   Processing: Checking for new security advice

[2018-04-10 04:58:04 +0100]    - Processing command `/usr/local/cpanel/scripts/check_security_advice_changes --notify`

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/scripts/check_security_advice_changes] There are no changes to the Security Advisor state that require notification.

[2018-04-10 04:58:30 +0100]    - Finished command `/usr/local/cpanel/scripts/check_security_advice_changes --notify` in 25.364 seconds

[2018-04-10 04:58:30 +0100]   Processing: Running former postinstall scripts

[2018-04-10 04:58:30 +0100]    - Processing command `/usr/local/cpanel/bin/dcpumon --killproc`

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/BitchX.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/bnc.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/eggdrop.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/generic-sniffers.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/guardservices.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ircd.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/psyBNC.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ptlink.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/services.sym  ..Done

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Kill Proc Enabled

[2018-04-10 04:58:30 +0100]      [/usr/local/cpanel/bin/dcpumon] Added Contact [email protected]

[2018-04-10 04:58:30 +0100]    - Finished command `/usr/local/cpanel/bin/dcpumon --killproc` in 0.508 seconds

[2018-04-10 04:58:30 +0100]   88% complete
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

Can you verify if you have that email address configured as an email destination in "WHM >> Contact Manager" or as a forwarded destination email for "root" in "WHM >> Edit System Mail Preferences"?

Thank you.
 

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
Hi,

I am sorry I was not clear.

I have setup the Contact Manager address as [email protected] (that is the "correct" address I wish to use).

Today this address has been changed again to [email protected] in "WHM >> Contact Manager"
Also the DNS nameservers have been changed in the Basic WebHost Manager® Setup.

WHM >> Edit System Mail Preferences shows the correct address [email protected]
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

Could you open a support ticket so we can take a closer look at the affected system?

Thank you.
 

amstel

Active Member
Nov 18, 2015
32
4
58
UK
cPanel Access Level
Root Administrator
Hi,

When I try to prepare server for cPanel support I get:

Code:
Error:WHM Authorization failed with the following error: The server detected that an SSH key for user “root” in Ticket ID “9430413” and Server “1” already exists. Run the following cPanel script and refresh your browser: /scripts/updatesupportauthorizations. You may skip this server or correct the problem and try again.
I run /scripts/updatesupportauthorizations and repeat the process but no joy.
I have clicked the next button and get the Support Request ID: 9430413
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello @amstel,

I see the ticket was successfully opened. Please respond directly to the support ticket to note the error if /scripts/updatesupportauthorizations continues to fail.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
/home/cpanel.pl
/home/cpanel.conf
I'm glad to see the source of the change was found. Thank you for updating this thread with the outcome. For anyone else seeing this thread, note these are third-party scripts and are not files provided as part of cPanel & WHM.

Thank you.
 
  • Like
Reactions: amstel