The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How come my WHM was accessed using root by one who doesn't have password?

Discussion in 'General Discussion' started by frankhsu, Dec 15, 2009.

  1. frankhsu

    frankhsu Member

    Joined:
    Sep 8, 2009
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    My WHM has been accessed using root by our branch office in other country, they only have FTP's account and password, there's no any way for them to get root's password.

    It happend once last month, and i already change root's password.

    But my WHM sent an e-mail of WHM root access alert just few minutes ago.

    Is there any possible for them to access WHM with their ftp password or what?


    our branch office is using a different ip from us, and we don't have any VPN between us.
     
    #1 frankhsu, Dec 15, 2009
    Last edited: Dec 16, 2009
  2. sharmaine001

    sharmaine001 Well-Known Member

    Joined:
    Jun 23, 2006
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    16
    There can be 2 things from what Ive observed:

    1. You have a cached WHM where you didnt log out and your branch office was able to access the cached session
    2. I observe that when one IP has successfully logged in to WHM and then an attempt to log in using the same IP was made even if it is not successful, WHM sends out an email that it has logged in the server as root. I dont know why such that so to check if they were really able to log in to the server, check your logs.
     
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    WHM does not send out an e-mail upon someone logging-in; the e-mail would have been generated by a non-stock modification or third-party software.

    I recommend checking the following two log files and cross-referencing similar entries (e.g., those with a matching IP address) to help determine specific information about the login attempts and what, if anything, was accessed beyond the attempted login:
    Code:
    /usr/local/cpanel/logs/access_log
    /usr/local/cpanel/logs/login_log
    If using cPHulk the following log file may also be checked:
    Code:
    /usr/local/cpanel/logs/cphulkd.log
     
Loading...

Share This Page