Svemir

Registered
Nov 15, 2014
3
0
1
Belgrade, Serbia, Serbia
cPanel Access Level
Root Administrator
Got this mail today. First time i see something like this. I have server with multiple cpanel account. Attached backup log. What happened here?? Changed domain name with xxxxx.
Can someone shed some light here? Thanks!
Code:
A full backup has completed and is available for download.
You can access a list of locally-stored backups via cPanel’s “Backups” interface:
cPanel > Backup > Download a Full Website Backup

The backup file is named “backup-2.15.2016_07-27-20_xxxx.tar.gz”
The server saved the backup file in the “/home/username/” directory.
The raw log file is attached to this email.

This notice is the result of a request made by a computer with the IP address of “XXXXXXXX” through the “fullbackup” service on the server.
The remote computer’s location appears to be: Pakistan (PK).
The remote computer’s IP address is assigned to the provider: “”
The provider supplied the following remarks about the IP address allocation: “-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ To report network abuse, please contact the IRT For troubleshooting, please contact tech-c and admin-c For assistance, please contact the APNIC Helpdesk -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+”
The remote computer’s network link type appears to be: “generic tunnel or VPN”.
The remote computer’s operating system appears to be: “Windows” with version “7 or 8”.
This notice was generated “Monday, February 15, 2016 1:36:28 PM UTC”.
You can disable the “Backup Failure” type of notification through the cPanel interface:

Do not reply to this automated message.
-------------------------------------------------------------------------
 

Attachments

Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello :)

Could you elaborate on why this suggests a hacked account? It shows the user generated a backup archive through cPanel. Is that an unrecognized IP address accessing that account?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
You should consider changing the password to that account, and reviewing /usr/local/cpanel/logs/access_log to see how long ago the first login attempt was made from an unknown IP address. If the backup of the account was generated, it's a good idea to change all passwords associated with the account (email, ftp, databases) and to review the file structure to verify all files uploaded to the account are legitimate.

Thank you.