Foreign SSH Login / Brute Force Attempts

Edrick Smith

Active Member
Oct 9, 2017
41
5
8
Boston, MA
cPanel Access Level
DataCenter Provider
So strangely enough / coincidentally oddly enough, it seems that just as our cPanel trial license expired that there was a possibly successful brute force login.

I noticed that mail stopped connecting and was rejecting all logins that were tied with the testing machine. I then tried to login to WHM both to a few cPanel users directly and to WHM root, I tried ssh root also with no success. I then consoled into the system and noticed there was a good amount failed login attempts, but it did list I believe a successful login from an IP in china however there was no commands in history.

However I have noticed repetitive brute force attempts at specifically the users listed from the server. So it seems they were able to in some fashion obtain the list of cPanel accounts and attempt direct brute force against them as I've modified the cPanel Hulk Brute force protection to further limit the failed attempts and email when an attempt was made.

This password was not a dictionary password and was about 24 characters randomly generated. So I don't see how they were able to successfully brute force it.

The reason I noticed this though is that the cPanel system stopped fully functioning which I assumed was due to the trial license as I was testing, so I tried to login to check the license and this is when I noticed the security issue. So odd that they both occurred at the same exact time. After applying a cPanel license the system came back up and when I whitelisted my IP from the Brute Hulk I was able to get in.

So now my question is it seems they're brute forcing the actual cPanel login attempts of the specific accounts based on the user. Both FTP and cPanel.

What would be the recommended course should I change the user names of those accounts now?

As I mentioned I see nothing but the commands I've issued over the past few weeks in the history so I cannot see any sign that they've inserted malicious software. But clearly they got the exact user name directory of the test accounts?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
It sounds as though when the license expired your users were no longer able to access their email through cPanel/WHM which is expected behavior. Are you sure that the users attempted to be accessed in this situation was done so illegitimately (the IP addresses used didn't belong to your customers)