The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulkD Not Showing Intruder's IP

Discussion in 'General Discussion' started by _jman, Dec 27, 2008.

  1. _jman

    _jman Member

    Joined:
    Jan 17, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel 11.24.4-R32603 WHM 11.24.2 - X 3.9, running on CentOS v5.2

    Howdy, All,

    Curious about some log entries in /var/messages, excerpted as:

    Connection service=system ip= port= user=xxx blocked by cphulkd (Too many failures for this username)

    The 'xxx' in user=xxx looks to be a dictionary list of common people names.

    There were about 600 attempts over a five hour span this last time around, just cycling alphabetically through different user names.

    Trying to figure out where the attack may be coming from, as there's no IP or port shown.

    Never got an email from cphulkd either. even though the 'send notification' box is checked.

    I have password login disabled for SSH, and am also using non-standard ports for both SSH & FTP. Alas, as WHM & cPanel web access is still hard-coded, those ports can't be changed.

    Any idea how to determine where the intruder(s) are trying to get in?

    Thanks!
    --
    Carl
     
  2. MBHWizards

    MBHWizards Registered

    Joined:
    Aug 23, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Having The Same Problem

    Has this been addressed yet?
     
  3. athabaska

    athabaska Member

    Joined:
    Dec 19, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    having same problem.
    Have you fixed this now ?
     
  4. mtosh

    mtosh Registered

    Joined:
    Nov 25, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cphulkd Database Not Showing Intruder's IP

    I'm having a similar problem. (No IPs displayed in the cphulkd database.) (Authentication Service is listed as "system").

    In addition, the automated-login-attempts script tries the same user name three times per 'protection period' (both of my 'maximum failures' settings are "3") without being detected as a brute force.

    I removed all my IPs from the Trusted Hosts list to test whether the multitude of login attempts were related to the UseDNS vulnerability--it did not help--the login attempts continued.

    Thanks.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please submit a support request so that we can investigate the specific circumstances of the symptoms being experienced.
     
    #5 cPanelDon, Nov 25, 2009
    Last edited: Nov 25, 2009
  6. mtosh

    mtosh Registered

    Joined:
    Nov 25, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello, Don.
    That Web page doesn't ever open.
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please try from a different computer and via a different Internet connection:
    https://tickets.cpanel.net/submit/

    If referring to the above link and if it is not loading for you, please then escalate the issue via your cPanel license vendor; this may be the data center from where your server is purchased or a cPanel distributor or cPanel Partner NOC.
     
  8. mtosh

    mtosh Registered

    Joined:
    Nov 25, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I think we can save a lot of time here--could someone at cPanel please tell me the following?

    Does a cPHulk Authentication Service label of "system" indicate that the login attempts originate from our server (from malicious code that was inserted on our server)?

    Thanks.
     
  9. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To the best of my knowledge, the answer is no; the reported "Authentication Service" is the service used for authentication when the log-in was attempted (such as via a user account that authenticates with its local system password).
     
    #9 cPanelDon, Nov 26, 2009
    Last edited: Nov 26, 2009
  10. mtosh

    mtosh Registered

    Joined:
    Nov 25, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, Don.

    Perhaps one of your readers can offer a solution to a brute force attack wherein the attacker successfully conceals its IP number.

    Thank you.
     
  11. yayyo

    yayyo Well-Known Member

    Joined:
    Jul 10, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    I would also like to know how this can happen...
    (my bolding)

    Thanks in advance for any advice,
    Marty

    p.s. it would also be very helpful if the cphulkd logs showed the date/time. I guess I better visit the suggestions board ;)

    p.p.s. cPanel 11.25.0-R43473 - WHM 11.25.0 - X 3.9
    CENTOS 5.4 i686 standard
     
    #11 yayyo, Feb 27, 2010
    Last edited: Feb 27, 2010
  12. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If there is not an IP address reported by the authentication service then it cannot be passed onto cPHulkd; depending on the unique circumstances involved this may be related to what you're seeing.

    For the precise date and time specified in the e-mail headers, do you see an IP address mentioned in the system log files that recorded the login?

    Here are two logs I would check as a starting point:
    Code:
    /var/log/messages
    /var/log/secure
    After thoroughly and carefully checking the system logs, including those from any third-party firewalls that are in-use, I recommend comparing available information to entries in the cPHulkd log as seen below:
    Code:
    /usr/local/cpanel/logs/cphulkd.log
     
  13. yayyo

    yayyo Well-Known Member

    Joined:
    Jul 10, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    Many Thanks Don,

    Yes, that solved it for me, but sadly not for the OP I believe.
    So it was the Data Centre (Fortress ITX). Following a reboot they appear to have an automatic root login attached to tty7

    Thanks again,
    Marty
     
  14. _jman

    _jman Member

    Joined:
    Jan 17, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Coming up on a couple of years for this thread, anyone from cPanel have an idea why the IP would not be recorded?

    Current version:
    cPanel 11.25.0-R46156 - WHM 11.25.0 - X 3.9
    CENTOS 5.5 i686 xen pv on vps

    Had alas not been logging ssh connections; set loglevel to INFO but will have to wait for another intrusion.

    /usr/local/cpanel/logs/cphulkd.log does not show the IP either, but that makes sense; if the brute force detection daemon saw the IP it would certainly report it.

    Yes, one can shell in, crank up MySQL, use cphulkd & delete from logins where user='root' (or even script that action if it happened to you a lot) but that just lets you back into the WHM gui, it still doesn't explain why the IP isn't being recorded in the first place.

    Oh, it also appears to be ignoring whitelist. I have an entry for my IP, but will still get kicked out of WHM if someone tries to log in too many times - however they're doing it - as root.

    Looking at /var/log/secure, it does appear sshd is logging timestamps based on the server's timezone, but openssl is logging based on GMT. Not sure if that's relevant.

    Any ideas?
     
  15. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please consider submitting a support request so that we may thoroughly inspect and more accurately diagnose the symptoms you are experiencing.
     
Loading...

Share This Page