The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Keep getting root login emails

Discussion in 'Security' started by feketegy, Apr 9, 2012.

  1. feketegy

    feketegy Registered

    Joined:
    Apr 9, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    A couple of days ago I started getting emails from CPanel like this:

    So I looked it up and started verifying log files and found the following entries for the date/time of the email:

    in /var/log/secure

    I don't see any IP in CPHulkd, I also installed ConfigServer CSF & LFD
    The server is CentOS 6 with WHM 11.32.2 (build 15)

    Does this mean that my server was hacked?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It means that atd service is logging to /var/log/messages, but atd isn't a suspicious service:

    atd - Linux Command - Unix Command

    Of note, atd isn't enabled to run by default on CentOS and RHEL systems, so someone started atd for some reason. cPHulk cannot log the IP because atd is logging to /var/log/messages locally. We did disable checks for crond because it does the same, but we don't for atd as it isn't a cPanel used service.
     
  3. testnick

    testnick Registered

    Joined:
    Apr 9, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I don't think so. I am basicly flooded with same message from all of my cPanel servers since I upgraded to 11.32.2 (build 15)
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I think WHM/cPanel started ATD. Doesn't say somewhere in the 11.32 changelog that during the upgrade process it makes sure ATD is started. Yeah - I looked at the changelog, and here is what one of the entries says:

    11.32.2.2
    2012-03-07

    Backend

    Fixed case 57102: Install of (or upgrade to) 11.32 needs to ensure atd is started if not running


    So the "someone" who started ATD must have been cPanel itself during the upgrade process

    Mike
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    We weren't informed that it was being launched and two internal cases were opened in the past 3 days in regards to it (such as 58732 asking whether we are now using it opened today). Based on that case, it appears that it is being used for the following:

    I do stand corrected on how it was initiated. Strangely enough, it wasn't and still isn't running on my system (running on edge tier), which I used for testing what is and isn't being used by cPanel.
     
  6. kbuser

    kbuser Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Does atd need to stay on past 11.32.2.2?

    I tried to update this thread ( http://forums.cpanel.net/f185/these-services-needed-124313.html ) to make a note that atd is now apparently used by whm but you can't comment on old threads, this is a policy that should be reconsidered so that outdated information doesn't have to stay that way.
     
  7. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    That scared me too when I saw it the first time :)
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Yes, atd appears to be an integral part of cPanel now, so it needs to stay running on 11.32
     
  9. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Any way to disable these messages from logwatch?
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    There isn't any way to disable the messages that I'm aware, although you could filter for them. The internal case we have opened would resolve the issue once it's fixed. That case for disregarding atd logging for authentication is 58711 and our changelogs would show that internal case once it is resolved. The changelogs are at http://go.cpanel.net/changelog
     
Loading...

Share This Page