Root access alert, serious or not?

[Jonathan More]

Hi, I received the following email notification from my server:

WHM/cPanel root access alert from 77.30.66.116 (SA/Saudi Arabia/-)
Time: Wed Aug 15 06:55:46 2012 +0300
IP: 77.30.66.116 (SA/Saudi Arabia/-)
User: root

Since I am the only one with the password and not anywhere even near Saudi Arabia, I got little worried.
I have dedicated server with very limited support, so I asked them about this. They just basically logged in the account and said it should not be compromised since they got in, but asked me to change the root password, what I did.

Does this notification mean that someone really got in? Is there something I could do to investigate this further?
I'm not too familiar with running server so any help would be greatly appreciated!

 

[LDHosting]

That looks like the alert from Configserver Firewall (CSF) and I certainly wouldn't ignore it. It does indicate that someone logged into cPanel/WHM using the root username.

I would start by checking /usr/local/cpanel/logs/access_log to see what was going on around that time.

 

[Jonathan More]

Thanks, I did find 85 lines with that IP in the log.

Here is the link /http://www.testisivut.fi/log.txt to those lines, can they tell anything what was going on?

 

[cPanelTristan]

They appear to have primarily been looking at bandwidth per that log.

Could you check /var/log/secure to ensure that IP isn't showing up there? That's even more serious as it's going to be SSH access if you see sshd entries for that IP with root login.

Also, did you already go ahead and block the IP? If not, I'd highly suggest doing so.

 

[Jonathan More]

/var/log/secure was clean.
I did block the IP now, isn't that best done with the "quick deny" option?

So could it be that nothing too bad get to happen this time?



edit: Could I also ask about firewall, I have been getting lately temp block alerts from strange IP:s as follows. IP has different variations with that same long format. What is this about?

Time: Thu Aug 16 09:50:29 2012 +0300
IP: 2a00:1450:8005:0000:0000:0000:0000:001b (-/-/ey-in-x1b.1e100.net)
Hits: 11
Blocked: Temporary Block

Should I manually block some IP:s that keep causing temp block alerts again and again?

 

[gvard]

Hello,

Do you see any more IPs in the access_log despite this IP, which has also logged in as root (and it's not you of course)?

 

[Jonathan More]

No, theres no other IP:s logged in as root. Thats a good sign I think?
Hopefully now when I changed the password, it should be all covered again?

For the future, would it be best to change password time to time? Is there a need to change root-username into something else?

Thanks for all the help!

 

[gvard]

In order to be on the safe side, I would check the domlogs to see if that IP had any strange behaviour on a user's website (maybe a PHP shell which took advantage of an old kernel exploit and escalated to root privileges or installed anything on the server).

grep 77.30.66.116 /usr/local/apache/domlogs/*

Also check /var/log/messages if the user uploaded something to an account via FTP

grep 77.30.66.116 /var/log/messages*

(after you unzipped the messages compressed file of that day).

 

[denny.j]

Hi Jonathan.

I would suggest disabling direct root login in the server as well as changing the deafult ssh port from 22 to another one of your choice

Disable Direct Root Login - Step by Step Instructions - Web Hosting Talk

 

[d'argo]

I would suggest disabling direct root login in the server as well as changing the deafult ssh port from 22 to another one of your choice

ill second that. direct root logins should be disabled.

 

[Jonathan More]

grep 77.30.66.116 /usr/local/apache/domlogs/*

Also check /var/log/messages if the user uploaded something to an account via FTP

grep 77.30.66.116 /var/log/messages*

(after you unzipped the messages compressed file of that day).

Could you clarify a bit more of this process, is that code for something to check all the client accounts automatically?
Where do I run that command?

 

[cPanelTristan]

You'd run the commands in root SSH. grep is searching a file in command line. It isn't code but bash shell commands.

 

[Jonathan More]

I am a total beginner outside whm interface, so bare with me just a little bit longer.
I did run those commands in Putty but nothing visible happened?

(after you unzipped the messages compressed file of that day).

This I didn't understood also, where are those compressed files?

 

[niladam]

Those files are located in /var/log/ look for .gz file. You'll need gunzip to decompress them. If you're not familiar with linux console, i suggest you leave that to someone who is, as you're surely gonna break something soon.

 

[Jonathan More]

Thank you, niladam, I went through those files. There was 13 GZ files and only once that IP showed up in exim_mainlog.3, with root access alert comment, that was the same time than original notification.

 

[cPanelTristan]

Of note, there's no reason to unzip a compressed file to search it. You can use zgrep to search a compressed file instead of grep. I've seen people unzip the files for no reason, since they must not be familiar with zgrep.