How to find out which IP changed the root password

Neutrall

Active Member
PartnerNOC
Jul 22, 2014
26
3
3
cPanel Access Level
DataCenter Provider
Hi,

I'm currently trying find out which IP change the root password in a cPanel server.

I'm trying to browse in the /usr/local/cpanel/logs/access_log file without success.

Is there a quick method for finding which IP change the root password?
 

Neutrall

Active Member
PartnerNOC
Jul 22, 2014
26
3
3
cPanel Access Level
DataCenter Provider
Update,


I've found that in the file /var/log/secure I can see password changed my from ssh command, but I can't see the root password changed made from inside cPanel. (Which is what I need to find out...)
 

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Please try to find logs in the /var/log/secure file.

You can use the command

Code:
grep passwd /var/log/secure
Also, check in the cpanel access logs using bellow command.

grep chrootpass /usr/local/cpanel/logs/access_log |grep POST
 
  • Like
Reactions: Neutrall

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

I'm happy to see the previous response was helpful. Thank you for updating us with the outcome.