The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel security help needed!

Discussion in 'Security' started by micetrap, May 4, 2006.

  1. micetrap

    micetrap Member

    Joined:
    Sep 4, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I think I have a problem with my server's cpanel security. Yesterday afternoon, I started receiving email requests to change cpanel passwords for two accounts. I was alarmed because these 2 accounts were backed up on this server, but the domains were not active. I received about 6 or 7 password requests, but deleted them when they arrived. A few hours later, my server was frozen. It wouldn't respond to anything, SSH, FTP or Apache. I had the center reboot the server and everything has been functioning fine. I am worried because I logged into one of my cpanel accounts and it shows the last login as being from an IP in Malaysia. I changed the passwords and made sure all of my software was updated. Today, I logged in although at first, it showed my IP, I logged in a few hours last and it shows the last login as coming from an IP in Plano, Texas. This is after I changed all of the passwords.

    Is there anything that could cause another IP to show where the last login IP would be shown? Are there any known exploits right now? I am very concerned with the security of this machine and any help will be very, very much appreciated!
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Successful logins will show up in /usr/local/cpanel/logs/access_log

    If you're finding IP addresses in there that should not be there, then you most likely have people logging into your accounts that shouldn't be and may need to have a security audit done on your server.

    Another check you could try is to look for odd shell access with:

    last -da | grep pts

    Any suspicious IP addresses there would also indicate a serious compromise on the server.
     
  3. micetrap

    micetrap Member

    Joined:
    Sep 4, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    IPs

    last -da | grep pts shows only me and my friend's IPs.
     
Loading...

Share This Page