In Progress CPANEL-40842 - Successful root login service : cron ??

Operating System & Version
Ubuntu 20.04
cPanel & WHM Version
104.03

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
Successful root Login from Local Machine
Domain: server2.!!!!!!!com
Service: cron
Authentication Database: system
Username: root
Known Network †: Yes ✅
† A “Known Network” is an IP address range or netblock that contains an IP address from which a user successfully logged in previously.

Hello I got this email for a second time just now and wondering what this is. ?
Anyone any idea

This is on a dev cPanel lic. For testing Ubuntu and cPanel 104 latest version
 
Last edited by a moderator:

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
Hey hey! I'm not sure I've seen one of those from a standard installation referencing the cron service. Is it possible you have a custom cron that calls a script that authenticates as root?
Not that I can think of. Other than using csf deny in cPHulk but then I removed it. And it happened again at the same time. Where would that cron be for me to look ?
Thanks
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
I wouldn't expect it to, as I don't get that on my personal system with LFD running.
This is Ubuntu maybe something different ?
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
That is always a possibility - you're welcome to make a ticket with us too!
ok here is ticket number
#94453883

just want to know what caused this and if it's just a normal process that will trigger the email
thanks
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
Our team did confirm these notifications were from that dcpumon cron, so it might be worth bringing that up with CSF directly to see if that gets handled differently on an Ubuntu system.
Hi there
The dcpumon cron is cPanel's CPU Monitor; as such, this log in is from the server itself. You should be able to whitelist 127.0.0.1 to prevent these notices from continuing to be sent.
This was a notice from cPHulk. Not csf just fyi. So I guess in cPHulk I just need to add the 127.0.0.1 to white list the ip. But this only happens on Ubuntu server not my AlmaLinux server. Maybe a notice in your docs or support channel for this so others can k iw it’s nothing to worry about.
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
Oooh I didn't see this was cPHulk - let me see if I can find more on my end.
Thanks. :)
Yes. Just a note to whitelist 127.0.0.1 in cPHulk so if we have the check mark to notify of an root login we don’t panic if we get that notice :). Thanks so much @cPRex.
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
here is the full Support answer

sorry I cant copy ad paste for some reason on the forum it keeps giving me to popup Error
so i made a snapshot
Screenshot 2022-06-08 153913.jpg
 

Spirogg

Well-Known Member
Feb 21, 2018
700
155
43
chicago
cPanel Access Level
Root Administrator
I see Ausaf just sent a reply to the ticket, asking you to monitor the situation and see if it happens again. If it does, it could be related to an existing case.
FOLLOW THIS ARTICLE HERE

Symptoms
When cPhulk option notify root for known netblock logins is enabled, cPhulk sends a notification indicating system user "cron" logged in:

Note: Confirmation of email notification is logged in log file /usr/local/cpanel/logs/cphulkd.log.

info [cPhulkd] Notified Root Login: [Service]=[cron] [Authentication Database]=[system] [Username]=[root]



Description
The cPhulk Brute force detection service has the ability to monitoring logins for the root user as well as other system users. When cron is executed on Ubuntu, it seems to trigger the cPhulk notification even though the task was executed by crontab. It isn't clear why this issue is occurring at this time but we've noticed the notifications started after upgrading to version 104.

We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-40842. Follow this article to receive an email notification when a solution is published in the product.



Workaround
Ignore the notification for system user cron or disable notify root setting for known netblock logins in the cPhulk interface.
 
Last edited by a moderator: