The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dilemma re Root Access by cPanel

Discussion in 'General Discussion' started by markb14391, Oct 6, 2009.

  1. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi All,

    I have a dilemma, and I'd like advice from the community. Please tell me what you would do in my situation.

    The details:

    • I had a support ticket in to cPanel that was mostly a request for information, so I didn't provide root access details.
    • After receiving the answer from cPanel's team (quite helpful as always), I received an LFD report of a root access to my WHM system...from cPanel's offices. I was a bit surprised to see that, since my issue had been resolved and didn't really require a login.
    • I added a response to my support ticket, asking if that was indeed cPanel that had logged into my system. I explained that it would be fine if it was them just trying to verify something in regard to my ticket, but I wanted to verify that.
    • The tech replied that he had not logged in, as I had not provided root login information. But he said that he had tried to log in before realizing that he did not have the password. However, the LFD report seems to show a successful login attempt.
    • After sleeping on the situation (and being a bit concerned about it), I appended my ticket and asked cPanel what I should make of the fact that I was told there was no login from cPanel...yet the report said otherwise. The response was that no logs are kept of such things, and it was probably an LFD error...a bug in LFD.
    • This concerned me even more, because the disconnect in the facts was now being blamed on a bug in LFD...and I doubt that LFD has no such bug.

    So, what would you do in my place? I have no reason to think that anyone at cPanel would do anything out of the ordinary. In addition, the tech in question has helped me numerous times and seems excellent. However, I have a situation in which a WHM root access has been logged, yet I am told that the report is probably a bug (which I doubt). That concerns me more than anything.

    So, should I:

    • Forget about it and chalk it up to an anomaly?
    • Forget about it but switch to a different control panel? (I don't want to.)
    • Do a security audit and send cPanel the bill (since my log shows a login from them, yet they point the finger at a bug in LFD)?
    • Or something else?

    It might be nothing to worry about, but my security advisor says that any such disconnect (reported entry into the system that is denied by the party who reportedly did it) is a major red flag that should not be ignored.

    Any advice would be appreciated.

    Thanks,

    Mark
     
  2. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    lfd just looks for any line in the control panel's access_log that starts with "x.x.x.x - root ", which doesn't necessarily indicate a successful login.
     
  3. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    That's what I was hoping. However, my LFD log seems to identify failed login attempts. But the log entry in question seems to be a successful root login to WHM:

    *WHM root access* from 208.74.121.102

    Doesn't this indeed indicate a successful login?

    Thanks,

    Mark
     
  4. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    Yes, I have tried what you suggested, and LFD identifies those as failed login attempts. It only uses the phrase "WHM root access" to indicate a successful login, at least thats how it looks to me.

    Thanks,

    Mark
     
  5. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    Not necessarily, no. You can confirm if the attempt was successful or not by checking the status code of the log (e.g., 401, or 200, etc).

    You can also duplicate this behavior by accessing WHM, and when prompted to enter a username and password, enter root for the username and anything but the correct password (including an empty password). That will cause the access_log to contain the data that lfd is looking for (a line starting with "x.x.x.x - root "), even though you did not just log in successfully as root.

    All lfd is doing is acting as a front end for the log. When in doubt, manually check the log itself for the complete story.
     
  6. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Okay, I pulled the log itself...there was a 301 followed by a 401.

    So, nothing to worry about, right? :)
     
  7. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    So I was probably operating under an incorrect assumption, and you were right that LFD can also show failed attempts. In that case, I am fine because the log matches what the cPanel rep told me...and that was what I was really concerned about. The attempt itself is fine, I was just worried that the facts didn't seem to match up.

    So I guess I can move on with no worries. :)
     
Loading...

Share This Page