The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

failed cpanel login from the server IP

Discussion in 'Security' started by garconcn, Feb 20, 2014.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    In lfd log, there's 5 failed cpanel login from the server IP every hour. This happens in multple cpanel servers. I found that the bandmin cron was running at the same time, not sure why the bandmin needs to login cpanel? Any idea? Thanks.


    /var/log/lfd.log
    Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
    Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
    Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
    Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
    Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored


    /var/log/cron
    Feb 20 15:02:01 server crond[3728]: (root) CMD (run-parts /etc/cron.hourly)
    Feb 20 15:02:01 server crond[3729]: (root) CMD (/usr/local/bandmin/bandmin)
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I personally haven't seen this before, but one thing you can try is, right before the hour, disable the bandmin cron and see if it happens again. The cron is located in /var/spool/cron/root - just comment out the line containing the bandmin command and reload crond.

    I'm not familiar with bandmin enough to confirm what it does and doesn't do. It's responsible for monitoring and reporting bandwidth usages, and looking at the script itself I don't see it opening any connections to cPanel, nor do I see this when stracing the process. I did look at this and chuckle a little though:

    Code:
    #****************************************
    #Bandmin (c)1998-1999 J. Nick Koston (BlueDraco) bdraco{at}darkorb[dot]net
    # - A simple Bandwidth Monitor
    #****************************************
    
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may also want to check /usr/local/cpanel/logs/login_log for those timestamps to get a better idea of what user attempted to authenticate.

    Thank you.
     
  4. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for the advice. I will try this now.

    - - - Updated - - -

    Hi Michael,

    Thanks. I found the following log in cpanel login_log, it appears every hour at the same time for the same 3 domains. I haven't figured out why.

    server_ip - root [02/21/2014:18:02:06 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    server_ip - root [02/21/2014:18:02:07 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_2 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    server_ip - root [02/21/2014:18:02:08 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_3 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you using any third-party applications that utilize the cPanel API? For instance, many billing applications will utilize the list account API function.

    Thank you.
     
  6. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    I found the problem. It is indeed a script that call the cpanel api every hour caused the problem. Thank you.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page