Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How come my WHM was accessed using root by one who doesn't have password?

Discussion in 'General Discussion' started by frankhsu, Dec 15, 2009.

  1. frankhsu

    frankhsu Member

    Sep 8, 2009
    Likes Received:
    Trophy Points:
    My WHM has been accessed using root by our branch office in other country, they only have FTP's account and password, there's no any way for them to get root's password.

    It happend once last month, and i already change root's password.

    But my WHM sent an e-mail of WHM root access alert just few minutes ago.

    Is there any possible for them to access WHM with their ftp password or what?

    our branch office is using a different ip from us, and we don't have any VPN between us.
    #1 frankhsu, Dec 15, 2009
    Last edited: Dec 16, 2009
  2. sharmaine001

    sharmaine001 Well-Known Member

    Jun 23, 2006
    Likes Received:
    Trophy Points:
    There can be 2 things from what Ive observed:

    1. You have a cached WHM where you didnt log out and your branch office was able to access the cached session
    2. I observe that when one IP has successfully logged in to WHM and then an attempt to log in using the same IP was made even if it is not successful, WHM sends out an email that it has logged in the server as root. I dont know why such that so to check if they were really able to log in to the server, check your logs.
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst Staff Member

    Nov 5, 2008
    Likes Received:
    Trophy Points:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    WHM does not send out an e-mail upon someone logging-in; the e-mail would have been generated by a non-stock modification or third-party software.

    I recommend checking the following two log files and cross-referencing similar entries (e.g., those with a matching IP address) to help determine specific information about the login attempts and what, if anything, was accessed beyond the attempted login:
    If using cPHulk the following log file may also be checked:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice