cPHulkd blocking 127.0.0.1

[Lorri Nevil]

I've spent a good deal of time, reached out to my server host, and was told I need to ask here.
I have roundcube and horde disabled from accounts as they are not used.
My logs are full of blocks for 127.0.0.1.
latest examples: (email removed - non existant email - all the same in this example)
I can't figure out what is happening, why "real" IP is not logged. I did search many different ways before asking. I saw some posts that I thought would address my issue, but the IP address was captured. thank you in advance.

[2019-05-10 00:10:54 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:20:54 2019 UTC/Fri May 10 00:20:54 2019 LOCAL])
[2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
[2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
[2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
[2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
[2019-05-10 00:11:41 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:41 2019 UTC/Fri May 10 00:21:41 2019 LOCAL])

 

[cPanelMichael]

Hello @Lorri Nevil,

Let's say a cPanel user creates a PHP script like the one on this document and attempts to authenticate as another user to cPanel or WHM. cPhulk will track these login attempts and report the IP address as originating from the local server (e.g. localhost, 127.0.0.1).

You may want to search through your Apache domain access logs (/usr/local/apache/domlogs/) for the date/times in your cPHulk logs to see if you notice any corresponding activity.

Thank you.

 

[Lorri Nevil]

Thank you @cPanelMichael
I will do that. My server is pretty much locked down - there *shouldn't* be anyone on that I don't know as it's not open to just create an account. I just tweaked a few more things but that hasn't subsided.

 

[Lorri Nevil]

@cPanelMichael
I just went to check current running processes (Home » System Health » Process Manager)
and it gives me A warning occurred while processing this directive.
lots of info starting with Entry for dovecot missing in /etc/shadow at /usr/local/cpanel/Cpanel/PwCache/Helpers.pm line 30 (plus other lines) - 6 boxes like this actually - exactly the same. I've searched for the first line to see if anyone else had the issue - only seeing a return of a few Entry for r00t missing in /etc/shadow - is this an unusual issue?
Thank you

 

[cPanelMichael]

Hello @Lorri Nevil,

Can you open a support ticket so we can take a closer look to see why that error message is appearing? You can post the ticket number here and we'll link this thread to it.

Thank you.