Cpanel security help needed!

[micetrap]

I think I have a problem with my server's cpanel security. Yesterday afternoon, I started receiving email requests to change cpanel passwords for two accounts. I was alarmed because these 2 accounts were backed up on this server, but the domains were not active. I received about 6 or 7 password requests, but deleted them when they arrived. A few hours later, my server was frozen. It wouldn't respond to anything, SSH, FTP or Apache. I had the center reboot the server and everything has been functioning fine. I am worried because I logged into one of my cpanel accounts and it shows the last login as being from an IP in Malaysia. I changed the passwords and made sure all of my software was updated. Today, I logged in although at first, it showed my IP, I logged in a few hours last and it shows the last login as coming from an IP in Plano, Texas. This is after I changed all of the passwords.

Is there anything that could cause another IP to show where the last login IP would be shown? Are there any known exploits right now? I am very concerned with the security of this machine and any help will be very, very much appreciated!

 

[chirpy]

Successful logins will show up in /usr/local/cpanel/logs/access_log

If you're finding IP addresses in there that should not be there, then you most likely have people logging into your accounts that shouldn't be and may need to have a security audit done on your server.

Another check you could try is to look for odd shell access with:

last -da | grep pts

Any suspicious IP addresses there would also indicate a serious compromise on the server.

 

[micetrap]

IPs

last -da | grep pts shows only me and my friend's IPs.