The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Determine IP addresses that accessed an account

Discussion in 'Security' started by Mugoma, Apr 15, 2017.

  1. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    Recently we have had several cases of user accounts being compromised.

    As way of troubleshooting is it possible to determine which IP address (s) accessed an account?

    Thanks.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    259
    Likes Received:
    75
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Have a look to see if the domain has :

    cPanel > Metrics > Visitors

    and

    cPanel > Metrics > Raw Access Logs (You may need to look at Archived as well as Current)

    ******EDIT*****

    I should learn to read the posts more carefully before trying to help !!

    There may be clues from the logs I mentioned above, and there may be additional info in the FTP log for the domain if the attacker used it.

    If you have root access, have a look at:

    /usr/local/cpanel/logs/login_log


     
    #2 rpvw, Apr 15, 2017
    Last edited: Apr 15, 2017
  3. gopkris2005

    gopkris2005 Well-Known Member

    Joined:
    Jan 9, 2007
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    cPanel Access Level:
    Root Administrator
    Twitter:
    These logs will help you to identify the IP address

    /var/log/btmp

    Stores all the bad login and logout attempts either failure or success.


    /var/log/wtmp

    this log store the good/authorized system login and logout which can be listed using ” last “ command.

    /var/log/lastlog
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  5. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Thanks everyone for commends. Using the information in the logs we were able to trace the source of attacks.
     
    cPanelMichael likes this.
Loading...

Share This Page