How to find hackers access point

[panit]

One of the accounts on the server had a file changed by a hacker. I was able to find the hackers IP in the access log. The entry in the log indicated the change was made via cpanels file manager so I searched the logs to see if I could find how that IP logged in. The only thing I could find for that IP are shown below. It shows connections by user1 and user2, neither of which is the user of the account that was hacked. Does that mean the hacker got in via one of these accounts or is it just coincidence?

Also, I grepped the .lastlogin for all accounts on the server and the hackers IP shows up in many of them. Does that file show successful logins or just attempts at logging in?

So, in summary, I know the account that was hacked and the IP used to do the hacking. I am just trying to find out how he got in. Can anyone offer suggestions on how to do this?


[2021-05-31 13:45:54 -0400] info [cpaneld] 174.192.149.43 - user1 "GET /cpsess5167093317/json-api/cpanel?cpanel_jsonapi_module=Fileman&cpanel_jsonapi_func=listfiles&cpanel_jsonapi_apiversion=2&needmime=1&dir=%2fhome%2fuser1%2fpublic_html&showdotfiles=1&cache_fix=1622483121965 HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]

[2021-05-31 13:45:54 -0400] info [cpaneld] 174.192.149.43 - user2 "GET /cpsess1523471696/frontend/paper_lantern/email_accounts/index.html HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]

[2021-05-31 13:45:58 -0400] info [cpaneld] 174.192.149.43 - user1 "GET /cpsess5167093317/frontend/paper_lantern/filemanager/index.html HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]

[2021-05-31 13:46:18 -0400] info [whostmgrd] 174.192.149.43 - root "GET /cpsess2958226313/json-api/loadavg HTTP/1.1" DEFERRED LOGIN whostmgrd: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]

[2021-05-31 13:46:39 -0400] info [whostmgrd] 174.192.149.43 - root "POST /xfercpanel HTTP/1.1" DEFERRED LOGIN whostmgrd: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]




using: Apache/2.4.48 and CloudLinux

 

[andrew.n]

This snippet of the log file only shows that the login attempts were failed and deferred so it doesn't show any successful login. In the rest of the log files do you see anything else?

 

[cPRex]

Hey there! Those specific entries look like the user had tried multiple logins, but doesn't show the actual issue.

I always recommend that people check their local computers for viruses and malware as that is the most common way passwords get stolen.

I would recommend checking /usr/local/cpanel/logs/access_log to see if that shows any additional details for the IP address.

 

[panit]

Thank you for the suggestions. I realize this could be caused by a computer being hacked but it was done by the same IP and at the same time so that seems unlikely. I check an archived access file and found these entries:

174.192.165.81 - info%404user3.com [05/31/2021:14:45:14 -0000] "GET /cpsess0036735185/3rdparty/roundcube/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1622472314684 HTTP/1.1" 200 0 "https://www.server_domain.com:2096/cpsess0036735185/3rdparty/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2096
174.192.165.81 - user3 [05/31/2021:14:47:14 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/showfile.html?file=cc_cvv.php&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fincludes%2Fmodules%2Fpayment&dirop=&charset=&file_charset=&baseurl=&basedir= HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cPanel_magic_revision_1509979506/frontend/paper_lantern/css/yui-core.css HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:47:14 -0000] "GET /cPanel_magic_revision_1509979506/frontend/paper_lantern/css/yui-custom.css HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/close.jpg HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cpsess0813286337/frontend/paper_lantern/mimeicons/text-x-generic.png HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:48:35 -0000] "GET /cPanel_magic_revision_1551087232/frontend/paper_lantern/filemanager/img/panel/close.gif HTTP/1.1" 200 0 "https://www.server_domain.com:2083/cPanel_magic_revision_1551087232/frontend/paper_lantern/filemanager/css/tree_styles2_optimized.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
174.192.165.81 - user3 [05/31/2021:14:48:35 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/editit.html?file=cc_cvv.php&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fincludes%2Fmodules%2Fpayment&dirop=&charset=&file_charset=_DETECT_&baseurl=&basedir=&edit=1 HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083



There was a second account hacked at the same time and in the same way. I thought the line showing the email check above might be the way in but the entries for the other account doesn't show email access. The entries for it did show the filemanager open and edit lines, though I guess that is after the hacker got in. Does the above show anything useful?

 

[andrew.n]

Yes it seems that user3 logged in from the IP 174.192.165.81 and he was editing /home/user3/public_html/includes/modules/payment/cc_cvv.php file as well as accessed webmail.

 

[panit]

So does "logged in" mean cpanel? Since two accounts had the same problem I suppose it is possible the password of each accounts cpanel could have been obtained. But doesn't it seem more likely that some common entry point was used? In either case, is it possible to know for sure how he got it?

 

[andrew.n]

From this log not really..if weak passwords were set it might have been figured or the computer was infected with some virus...a lot of things could have happened unfortunately

 

[panit]

OK. I understand. Thank you for your help. I had both users change their passwords and blocked that IP.

 

[andrew.n]

Very well, anytime