failed cpanel login from the server IP

garconcn

Well-Known Member
Oct 29, 2009
152
9
68
In lfd log, there's 5 failed cpanel login from the server IP every hour. This happens in multple cpanel servers. I found that the bandmin cron was running at the same time, not sure why the bandmin needs to login cpanel? Any idea? Thanks.


/var/log/lfd.log
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored


/var/log/cron
Feb 20 15:02:01 server crond[3728]: (root) CMD (run-parts /etc/cron.hourly)
Feb 20 15:02:01 server crond[3729]: (root) CMD (/usr/local/bandmin/bandmin)
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
I personally haven't seen this before, but one thing you can try is, right before the hour, disable the bandmin cron and see if it happens again. The cron is located in /var/spool/cron/root - just comment out the line containing the bandmin command and reload crond.

I'm not familiar with bandmin enough to confirm what it does and doesn't do. It's responsible for monitoring and reporting bandwidth usages, and looking at the script itself I don't see it opening any connections to cPanel, nor do I see this when stracing the process. I did look at this and chuckle a little though:

Code:
#****************************************
#Bandmin (c)1998-1999 J. Nick Koston (BlueDraco) bdraco{at}darkorb[dot]net
# - A simple Bandwidth Monitor
#****************************************
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

You may also want to check /usr/local/cpanel/logs/login_log for those timestamps to get a better idea of what user attempted to authenticate.

Thank you.
 

garconcn

Well-Known Member
Oct 29, 2009
152
9
68
I personally haven't seen this before, but one thing you can try is, right before the hour, disable the bandmin cron and see if it happens again. The cron is located in /var/spool/cron/root - just comment out the line containing the bandmin command and reload crond.

I'm not familiar with bandmin enough to confirm what it does and doesn't do. It's responsible for monitoring and reporting bandwidth usages, and looking at the script itself I don't see it opening any connections to cPanel, nor do I see this when stracing the process. I did look at this and chuckle a little though:

Code:
#****************************************
#Bandmin (c)1998-1999 J. Nick Koston (BlueDraco) bdraco{at}darkorb[dot]net
# - A simple Bandwidth Monitor
#****************************************
Thanks for the advice. I will try this now.

- - - Updated - - -

Hello :)

You may also want to check /usr/local/cpanel/logs/login_log for those timestamps to get a better idea of what user attempted to authenticate.

Thank you.
Hi Michael,

Thanks. I found the following log in cpanel login_log, it appears every hour at the same time for the same 3 domains. I haven't figured out why.

server_ip - root [02/21/2014:18:02:06 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
server_ip - root [02/21/2014:18:02:07 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_2 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
server_ip - root [02/21/2014:18:02:08 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_3 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Are you using any third-party applications that utilize the cPanel API? For instance, many billing applications will utilize the list account API function.

Thank you.
 

garconcn

Well-Known Member
Oct 29, 2009
152
9
68
Are you using any third-party applications that utilize the cPanel API? For instance, many billing applications will utilize the list account API function.

Thank you.
I found the problem. It is indeed a script that call the cpanel api every hour caused the problem. Thank you.