Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Entries in Log File Questions

Discussion in 'Security' started by sido, Sep 16, 2018.

  1. sido

    sido Registered

    Joined:
    Sep 16, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tunisia
    cPanel Access Level:
    Website Owner
    Hi,

    My first time posting here, thank you in advance for your service ...

    I'm running a small online business, and among other tasks I administer detected server , but I am not really a professional webmaster. I hope someone here can give me some sort of direction of how to handle this case.

    since a few days I received an email indicates that someone has entered my server .

    A quick look at the server stats revealed that someone had broken into the cPanel with the root (!)

    I checked his trace here is what I found : " check file please "

    [removed by moderator - please replace real domain names and IP addresses with examples when pasting log output]

    ....... check file please

    I want to know what he did ? is this dangerous ???

    THank you in advance
     
    #1 sido, Sep 16, 2018
    Last edited by a moderator: Sep 17, 2018
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @sido,

    The log output was moderated because it included real domain names and IP addresses. Feel free to post the output again in CODE tags, but ensure to replace any real domain names or IP addresses with examples.

    Additionally, the following document is a good place to start when understanding how to approach a potentially hacked server:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sido

    sido Registered

    Joined:
    Sep 16, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tunisia
    cPanel Access Level:
    Website Owner
    H

    I upload the file again, please check

    I want to know what he did ? is this dangerous ???

    THank you in advance

    HI,
    these are the traces
     
    #3 sido, Sep 17, 2018
    Last edited by a moderator: Sep 18, 2018
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    119
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The apache access_log lines you posted are evidence that the ip address in your original post requested the whm login page.
    It is not evidence that they successfully logged in.
    See the attached screenshot to verify this for yourself.

    The following line is extremely vague
    "since a few days I received an email indicates that someone has entered my server ."

    Is there any connection with the ip address in the log lines you posted and the email you received?
    The email you received...
    Is it sent by ConfigServer lfd daemon?
    Is the email sent by some other software on your server?
    Is is sent from the email address you would expect server notification to be sent by?
    Does it have any hyper-links in it?
    Is it possible that the email is notification of you or one of your cPanel users logging in?
    Do you know the ip that you log in from?
    Does it ever vary?
    Do you use anonymizing proxy for your browser when you log in?
    Are your usernames and passwords for root and cPanel users complex and unique?
     

    Attached Files:

    cPanelMichael likes this.
  5. sido

    sido Registered

    Joined:
    Sep 16, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Tunisia
    cPanel Access Level:
    Website Owner
    Hi,

    thank you for your reply
    I received cron-job email, indicates that someone made a change on the server.

    look at the attached file .

    exemple :
    Code:
    POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/index.html" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083
    
    POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/index.html" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083
    
    POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/editit.html?file=main.tpl&fileop=&dir=%2Fhome%2FwebsiteK%2Fpublic_html%2Fww1%2Ftemplates%2FDefault&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&edit=1" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083
    
    
    POST /cpsess3516826911/execute/Personalization/get HTTP/1.1" 200 0 "https://domaine.com.2083/" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083
    
    Thank you in advance
     

    Attached Files:

    #5 sido, Sep 18, 2018
    Last edited by a moderator: Sep 18, 2018
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @sido,

    The log output you provided show that cPanel >> File Manager was accessed. Can you elaborate on where you see the "root" user was utilized to access the server? Answers to the questions in the the post before your last one are needed to better understand the issue you are facing.

    Additionally, you may want to consider hiring a system administrator if you require assistance evaluating the server's security or investigating the source of a potential exploit. This is often an extensive process, and it's generally not something we can help with over a public forum. You can find a list of companies offering system administration services at:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice