The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root access alert, serious or not?

Discussion in 'Security' started by Jonathan More, Aug 15, 2012.

  1. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Hi, I received the following email notification from my server:

    WHM/cPanel root access alert from 77.30.66.116 (SA/Saudi Arabia/-)
    Time: Wed Aug 15 06:55:46 2012 +0300
    IP: 77.30.66.116 (SA/Saudi Arabia/-)
    User: root

    Since I am the only one with the password and not anywhere even near Saudi Arabia, I got little worried.
    I have dedicated server with very limited support, so I asked them about this. They just basically logged in the account and said it should not be compromised since they got in, but asked me to change the root password, what I did.

    Does this notification mean that someone really got in? Is there something I could do to investigate this further?
    I'm not too familiar with running server so any help would be greatly appreciated!
     
  2. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    That looks like the alert from Configserver Firewall (CSF) and I certainly wouldn't ignore it. It does indicate that someone logged into cPanel/WHM using the root username.

    I would start by checking /usr/local/cpanel/logs/access_log to see what was going on around that time.
     
  3. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, I did find 85 lines with that IP in the log.

    Here is the link /http://www.testisivut.fi/log.txt to those lines, can they tell anything what was going on?
     
    #3 Jonathan More, Aug 15, 2012
    Last edited: Aug 15, 2012
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    They appear to have primarily been looking at bandwidth per that log.

    Could you check /var/log/secure to ensure that IP isn't showing up there? That's even more serious as it's going to be SSH access if you see sshd entries for that IP with root login.

    Also, did you already go ahead and block the IP? If not, I'd highly suggest doing so.
     
  5. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    /var/log/secure was clean.
    I did block the IP now, isn't that best done with the "quick deny" option?

    So could it be that nothing too bad get to happen this time?



    edit: Could I also ask about firewall, I have been getting lately temp block alerts from strange IP:s as follows. IP has different variations with that same long format. What is this about?

    Time: Thu Aug 16 09:50:29 2012 +0300
    IP: 2a00:1450:8005:0000:0000:0000:0000:001b (-/-/ey-in-x1b.1e100.net)
    Hits: 11
    Blocked: Temporary Block

    Should I manually block some IP:s that keep causing temp block alerts again and again?
     
    #5 Jonathan More, Aug 16, 2012
    Last edited: Aug 16, 2012
  6. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Do you see any more IPs in the access_log despite this IP, which has also logged in as root (and it's not you of course)?
     
  7. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    No, theres no other IP:s logged in as root. Thats a good sign I think?
    Hopefully now when I changed the password, it should be all covered again?

    For the future, would it be best to change password time to time? Is there a need to change root-username into something else?

    Thanks for all the help!
     
  8. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    In order to be on the safe side, I would check the domlogs to see if that IP had any strange behaviour on a user's website (maybe a PHP shell which took advantage of an old kernel exploit and escalated to root privileges or installed anything on the server).

    Code:
    grep 77.30.66.116 /usr/local/apache/domlogs/*
    Also check /var/log/messages if the user uploaded something to an account via FTP

    Code:
    grep 77.30.66.116 /var/log/messages*
    (after you unzipped the messages compressed file of that day).
     
    #8 gvard, Aug 18, 2012
    Last edited: Aug 18, 2012
  9. denny.j

    denny.j Member

    Joined:
    Apr 21, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  10. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    ill second that. direct root logins should be disabled.
     
  11. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Could you clarify a bit more of this process, is that code for something to check all the client accounts automatically?
    Where do I run that command?
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You'd run the commands in root SSH. grep is searching a file in command line. It isn't code but bash shell commands.
     
  13. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    I am a total beginner outside whm interface, so bare with me just a little bit longer.
    I did run those commands in Putty but nothing visible happened?

    This I didn't understood also, where are those compressed files?
     
  14. niladam

    niladam Member

    Joined:
    Aug 29, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Those files are located in /var/log/ look for .gz file. You'll need gunzip to decompress them. If you're not familiar with linux console, i suggest you leave that to someone who is, as you're surely gonna break something soon.
     
  15. Jonathan More

    Jonathan More Active Member

    Joined:
    Apr 21, 2011
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Thank you, niladam, I went through those files. There was 13 GZ files and only once that IP showed up in exim_mainlog.3, with root access alert comment, that was the same time than original notification.
     
  16. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Of note, there's no reason to unzip a compressed file to search it. You can use zgrep to search a compressed file instead of grep. I've seen people unzip the files for no reason, since they must not be familiar with zgrep.
     
Loading...

Share This Page