failed cpanel login from the server IP

[garconcn]

In lfd log, there's 5 failed cpanel login from the server IP every hour. This happens in multple cpanel servers. I found that the bandmin cron was running at the same time, not sure why the bandmin needs to login cpanel? Any idea? Thanks.


/var/log/lfd.log
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored
Feb 20 16:02:03 server lfd[5643]: Failed cPanel login from server_ip - ignored


/var/log/cron
Feb 20 15:02:01 server crond[3728]: (root) CMD (run-parts /etc/cron.hourly)
Feb 20 15:02:01 server crond[3729]: (root) CMD (/usr/local/bandmin/bandmin)

 

[vanessa]

I personally haven't seen this before, but one thing you can try is, right before the hour, disable the bandmin cron and see if it happens again. The cron is located in /var/spool/cron/root - just comment out the line containing the bandmin command and reload crond.

I'm not familiar with bandmin enough to confirm what it does and doesn't do. It's responsible for monitoring and reporting bandwidth usages, and looking at the script itself I don't see it opening any connections to cPanel, nor do I see this when stracing the process. I did look at this and chuckle a little though:

#****************************************
#Bandmin (c)1998-1999 J. Nick Koston (BlueDraco) bdraco{at}darkorb[dot]net
# - A simple Bandwidth Monitor
#****************************************

 

[cPanelMichael]

Hello

You may also want to check /usr/local/cpanel/logs/login_log for those timestamps to get a better idea of what user attempted to authenticate.

Thank you.

 

[garconcn]

I personally haven't seen this before, but one thing you can try is, right before the hour, disable the bandmin cron and see if it happens again. The cron is located in /var/spool/cron/root - just comment out the line containing the bandmin command and reload crond.

I'm not familiar with bandmin enough to confirm what it does and doesn't do. It's responsible for monitoring and reporting bandwidth usages, and looking at the script itself I don't see it opening any connections to cPanel, nor do I see this when stracing the process. I did look at this and chuckle a little though:

#****************************************
#Bandmin (c)1998-1999 J. Nick Koston (BlueDraco) bdraco{at}darkorb[dot]net
# - A simple Bandwidth Monitor
#****************************************

Thanks for the advice. I will try this now.

- - - Updated - - -

Hello

You may also want to check /usr/local/cpanel/logs/login_log for those timestamps to get a better idea of what user attempted to authenticate.

Thank you.

Hi Michael,

Thanks. I found the following log in cpanel login_log, it appears every hour at the same time for the same 3 domains. I haven't figured out why.

server_ip - root [02/21/2014:18:02:06 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
server_ip - root [02/21/2014:18:02:07 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_2 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
server_ip - root [02/21/2014:18:02:08 -0000] "GET /xml-api/listaccts?searchtype=domain&search=domain_3 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect

 

[cPanelMichael]

Are you using any third-party applications that utilize the cPanel API? For instance, many billing applications will utilize the list account API function.

Thank you.

 

[garconcn]

Are you using any third-party applications that utilize the cPanel API? For instance, many billing applications will utilize the list account API function.

Thank you.

I found the problem. It is indeed a script that call the cpanel api every hour caused the problem. Thank you.

 

[cPanelMichael]

I am happy to see the issue is now resolved. Thank you for updating us with the outcome.