The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Did cpanel or whm cause this problem? Maybe blacklist?

Discussion in 'Security' started by DaNewGuy, May 12, 2010.

  1. DaNewGuy

    DaNewGuy Member

    Joined:
    May 12, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi!

    I had something happen to me today that was VERY SCARY! I am hoping somebody can tell me if cpanel or whm caused it.

    I recently acquired a VPS and I am preparing to migrate 10 websites to it from a shared hosting acct. All ten sites are currently CREloaded and I am switching to Zen.

    So I pointed two domains at the VPS for staging and I have spent the last two weeks bolting a bunch of mods together. Then I zipped the main cart, uploaded to the other domain. Now I have carts on two domains so I can go back and forth testing out what looks best.

    Around 5:15 this afternoon I had open:
    • FTP client (connected securely)
    https://www.mystore1.com/admin
    https://www.mystore2.com/admin

    I did not have open cpanel or whm. The only other thing open in Firefox were a few tabs of each site. I was using firefox's Developer Tool Kit to "edit css" so I could test out dif colors.

    HERE IS WHERE IT GETS CRAZY!
    All of a sudden one of my sites would not refresh, eventually the connection timed out. So I tried to refresh the other site, same problem. Thinking my ISP connection was down, I did a random search on Google and it worked fine.

    Now I thought my server was down, so I tried logging into root/whm... and it worked! Poking around, I pulled server status and everything checked out fine.

    So I sent an email to my host, saying I thought something was wrong with dns zones or something cuz my sites were not coming up. A few moments later, I received a reply that she could see my domains just fine and she liked the progress I was making.

    Super confused, I moved to another computer in the office and was again refused access to my domains (though yahoo loaded instantly!).

    So I called my house and had my wife pull up the domains. Sure enough she could see the domains no problem.

    At home and at office, my internet is virtually the same: Comcast Broadband Modem going thru Airport Extreme wireless router.

    NOW IT GETS EVEN WEIRDER!!!
    Scratching my head, I flipped on my hotspot protection software that I use while at coffee shops or hotels so I can check email, bank statements, etc, without fear of getting jacked.

    And guess what???? It worked! All of a sudden I could see my websites.

    SO HERE ARE MY QUESTIONS
    Is it possible I tripped over some security function in Cpanel or WHM that caused my IP to get blacklisted? And if so, is there a log or someplace I can go to see what happened or to check banned IPs? Or to remove my IP if it is on there?

    I do have reason to be paranoid, but I am hoping this problem has a very innocent explanation.

    I am totally freaked out here, hoping somebody understands what happened to me!

    Any advice, suggestions, or thoughts would be greatly appreciated.

    Thanks for taking the time to read this!
     
  2. DaNewGuy

    DaNewGuy Member

    Joined:
    May 12, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    One thought (albeit probably needlessly paranoid)... if somebody attempted to hijack my session, could that have caused the red flag?
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Possibly. You might like to read up on cPanel's Brute Force Detection, this may be what blocked you. If so and you can get in from another PC, check the blocked list for BFD. (And add your IP to the white list if you use this) More on that in the docs. Use cPHulk for Brute Force Protection

    It could be your firewall as well but you don't mention if you run one.

    She sounds friendly. Ask her to help you check the error logs for your IP. Why you got blocked will be there somewhere if it wasn't BFD. ;)

    GL
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To the best of my knowledge triggering a login failure detected by cPHulk should not result in a complete block or denial of network connectivity; however, the hosting service provider may be utilizing third-party software that may monitor for certain activity and could be easily triggered and subsequently (automatically) add a visitor's IP address to a firewall for effectively blocking further network connections from or to that IP address.

    I recommend providing your public/WAN IP address to the hosting provider so that they may search server log data for possible entries from security or firewall software.

    You may identify your public/WAN IP address by visiting one of the following web sites:

    Here are a few log file paths that I would use as a starting point for searching via root SSH access:
    Code:
    /var/log/messages
    /usr/local/cpanel/logs/cphulkd.log
    /var/log/lfd.log
    Here is an example command, using "grep," to search all of the aforementioned log files; where I've entered "$IP" replace this with the actual IP address to look for:
    Code:
    # grep -Hn "$IP" /var/log/messages /usr/local/cpanel/logs/cphulkd.log /var/log/lfd.log
     
  5. DaNewGuy

    DaNewGuy Member

    Joined:
    May 12, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Wow! Good insight, thank you both very much!

    I will follow both of your excellent suggestions today (reading up and grepping).

    I did receive a reply from my host today, I wonder what you think about it:
    In my opinion, seems like she accidentally discovered some totally unrelated problem. And to be honest, I really don't understand the problem she describes. Since I am already pointing to the correct DNS thru godaddy, is there any point to me going over and doing it again? Won't it just resolve itself over time?

    This is too weird.
     
  6. DaNewGuy

    DaNewGuy Member

    Joined:
    May 12, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    UPDATE! Problem occured again...

    UPDATE! And I have a question about something Infopro said.

    But first: I am still waiting for her to flip the switch on ssh access (which I thought I already had). I looked at the Brute Force thing in my root WHM, it did not display any blacklisted or whitelisted IPs.

    Ok, so I was working from my home this morning, called the office and had an employee try to visit the problem domain. It was still being blocked.

    So I asked him to check his IP and then restart the modem and router. He went back and was able to go to the sites, no problem!

    I assumed the router simply gave us a new IP and that was the remedy.

    So I came in and began to work on the site and everything was great until all of a sudden it would not refresh! And oddly I was performing the EXACT same task in the same site as when this occurred last time. (If you are familiar with Zen, I was in Admin disabling all the right hand sideboxes).

    So I went and restarted my modem/router and *PRESTO* I was back up again.

    Now I went to look at my cpanel error logs. I pulled my current IP address so I could rule myself out.

    GUESS WHAT? My IP was the same as it was this morning before my employee restarted everything!

    So this appears to have nothing to do with my IP.

    Infopro, you said:
    Were you referring to my LAN? Could a local firewall be the root of this problem?

    It's pretty intuitively amazing that you said that. Can you elaborate?

    Also I just received this from my host:
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not really, but I like your description all the same! :p

    I was referring to your servers firewall. Since you didn't mention one, I couldn't comment further on where to look at your firewall logs. Your host can help you with this I'm sure.


    If this is some sort of corporate offices with strict firewall rules for the network on that end, I think you could run into connection problems there, yes sure.

    If you have control of the router, it sounds like you do, can you add your cPanel URL to a bypass list of some sort?

    The good news is it's not exactly a cPanel problem. :)

    GL!
     
Loading...

Share This Page