cpHulkD Not Showing Intruder's IP

_jman

Active Member
Jan 17, 2007
41
3
158
cPanel 11.24.4-R32603 WHM 11.24.2 - X 3.9, running on CentOS v5.2

Howdy, All,

Curious about some log entries in /var/messages, excerpted as:

Connection service=system ip= port= user=xxx blocked by cphulkd (Too many failures for this username)

The 'xxx' in user=xxx looks to be a dictionary list of common people names.

There were about 600 attempts over a five hour span this last time around, just cycling alphabetically through different user names.

Trying to figure out where the attack may be coming from, as there's no IP or port shown.

Never got an email from cphulkd either. even though the 'send notification' box is checked.

I have password login disabled for SSH, and am also using non-standard ports for both SSH & FTP. Alas, as WHM & cPanel web access is still hard-coded, those ports can't be changed.

Any idea how to determine where the intruder(s) are trying to get in?

Thanks!
--
Carl
 

mtosh

Registered
Nov 25, 2009
4
0
51
cphulkd Database Not Showing Intruder's IP

I'm having a similar problem. (No IPs displayed in the cphulkd database.) (Authentication Service is listed as "system").

In addition, the automated-login-attempts script tries the same user name three times per 'protection period' (both of my 'maximum failures' settings are "3") without being detected as a brute force.

I removed all my IPs from the Trusted Hosts list to test whether the multitude of login attempts were related to the UseDNS vulnerability--it did not help--the login attempts continued.

Thanks.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I'm having a similar problem. (No IPs displayed in the cphulkd database.) (Authentication Service is listed as "system").
Please submit a support request so that we can investigate the specific circumstances of the symptoms being experienced.
 
Last edited:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Hello, Don.
That Web page doesn't ever open.
Please try from a different computer and via a different Internet connection:
https://tickets.cpanel.net/submit/

If referring to the above link and if it is not loading for you, please then escalate the issue via your cPanel license vendor; this may be the data center from where your server is purchased or a cPanel distributor or cPanel Partner NOC.
 

mtosh

Registered
Nov 25, 2009
4
0
51
I think we can save a lot of time here--could someone at cPanel please tell me the following?

Does a cPHulk Authentication Service label of "system" indicate that the login attempts originate from our server (from malicious code that was inserted on our server)?

Thanks.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Does a cPHulk Authentication Service label of "system" indicate that the login attempts originate from our server (from malicious code that was inserted on our server)?
To the best of my knowledge, the answer is no; the reported "Authentication Service" is the service used for authentication when the log-in was attempted (such as via a user account that authenticates with its local system password).
 
Last edited:

mtosh

Registered
Nov 25, 2009
4
0
51
Thanks, Don.

Perhaps one of your readers can offer a solution to a brute force attack wherein the attacker successfully conceals its IP number.

Thank you.
 

yayyo

Well-Known Member
Jul 10, 2004
61
0
156
London, UK
cPanel Access Level
Root Administrator
Thanks, Don.

Perhaps one of your readers can offer a solution to a brute force attack wherein the attacker successfully conceals its IP number.

Thank you.
I would also like to know how this can happen...
From: [email protected]
Subject: [example.com] Root Login from IP (null)
Message-Id: <[email protected]>
Date: Sat, 27 Feb 2010 18:51:35 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - example.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - example.com
X-Source: /usr/bin/perl
X-Source-Args: cPhulkd - processor
X-Source-Dir: /

Root was logged into pam using following authentication service: system
(my bolding)

Thanks in advance for any advice,
Marty

p.s. it would also be very helpful if the cphulkd logs showed the date/time. I guess I better visit the suggestions board ;)

p.p.s. cPanel 11.25.0-R43473 - WHM 11.25.0 - X 3.9
CENTOS 5.4 i686 standard
 
Last edited:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I would also like to know how this can happen...

(my bolding)

Thanks in advance for any advice,
Marty

p.s. it would also be very helpful if the cphulkd logs showed the date/time. I guess I better visit the suggestions board ;)

p.p.s. cPanel 11.25.0-R43473 - WHM 11.25.0 - X 3.9
CENTOS 5.4 i686 standard
If there is not an IP address reported by the authentication service then it cannot be passed onto cPHulkd; depending on the unique circumstances involved this may be related to what you're seeing.

For the precise date and time specified in the e-mail headers, do you see an IP address mentioned in the system log files that recorded the login?

Here are two logs I would check as a starting point:
Code:
/var/log/messages
/var/log/secure
After thoroughly and carefully checking the system logs, including those from any third-party firewalls that are in-use, I recommend comparing available information to entries in the cPHulkd log as seen below:
Code:
/usr/local/cpanel/logs/cphulkd.log
 

yayyo

Well-Known Member
Jul 10, 2004
61
0
156
London, UK
cPanel Access Level
Root Administrator
Many Thanks Don,

Yes, that solved it for me, but sadly not for the OP I believe.
[email protected] [~]# fgrep 'Feb 27 18:51:35' /var/log/secure*
/var/log/secure.3:Feb 27 18:51:35 mail login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
/var/log/secure.3:Feb 27 18:51:35 mail login: ROOT LOGIN ON tty7
So it was the Data Centre (Fortress ITX). Following a reboot they appear to have an automatic root login attached to tty7

Thanks again,
Marty
 

_jman

Active Member
Jan 17, 2007
41
3
158
Coming up on a couple of years for this thread, anyone from cPanel have an idea why the IP would not be recorded?

Current version:
cPanel 11.25.0-R46156 - WHM 11.25.0 - X 3.9
CENTOS 5.5 i686 xen pv on vps

Had alas not been logging ssh connections; set loglevel to INFO but will have to wait for another intrusion.

/usr/local/cpanel/logs/cphulkd.log does not show the IP either, but that makes sense; if the brute force detection daemon saw the IP it would certainly report it.

Yes, one can shell in, crank up MySQL, use cphulkd & delete from logins where user='root' (or even script that action if it happened to you a lot) but that just lets you back into the WHM gui, it still doesn't explain why the IP isn't being recorded in the first place.

Oh, it also appears to be ignoring whitelist. I have an entry for my IP, but will still get kicked out of WHM if someone tries to log in too many times - however they're doing it - as root.

Looking at /var/log/secure, it does appear sshd is logging timestamps based on the server's timezone, but openssl is logging based on GMT. Not sure if that's relevant.

Any ideas?
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Coming up on a couple of years for this thread, anyone from cPanel have an idea why the IP would not be recorded?

Current version:
cPanel 11.25.0-R46156 - WHM 11.25.0 - X 3.9
CENTOS 5.5 i686 xen pv on vps

Had alas not been logging ssh connections; set loglevel to INFO but will have to wait for another intrusion.

/usr/local/cpanel/logs/cphulkd.log does not show the IP either, but that makes sense; if the brute force detection daemon saw the IP it would certainly report it.

Yes, one can shell in, crank up MySQL, use cphulkd & delete from logins where user='root' (or even script that action if it happened to you a lot) but that just lets you back into the WHM gui, it still doesn't explain why the IP isn't being recorded in the first place.

Oh, it also appears to be ignoring whitelist. I have an entry for my IP, but will still get kicked out of WHM if someone tries to log in too many times - however they're doing it - as root.

Looking at /var/log/secure, it does appear sshd is logging timestamps based on the server's timezone, but openssl is logging based on GMT. Not sure if that's relevant.

Any ideas?
Please consider submitting a support request so that we may thoroughly inspect and more accurately diagnose the symptoms you are experiencing.