The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

root access alert.

Discussion in 'Security' started by Spork Schivago, Feb 19, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hi,

    I just got an e-mail from lfd saying:
    Code:
    (subject) lfd on franklin.mydomain.com: WHM/cPanel root access alert from 184.168.224.94 (US/United States/p3plvertigo01.prod.phx3.secureserver.net)
    
    (body)
    
    Time:    Fri Feb 19 10:32:06 2016 -0500
    IP:      184.168.224.94 (US/United States/p3plvertigo01.prod.phx3.secureserver.net)
    User:    root
    
    I look in /usr/local/cpanel/logs/login_log and see this:
    Code:
    [2016-02-18 19:02:53 -0500] info [cpsrvd] 184.168.224.94 - root "GET /json-api/listaccts HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    [2016-02-19 20:12:44 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:47 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    [2016-02-19 20:12:47 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
    
    I don't see any information from that IP at 10:32AM though. Does that mean someone got in my system? I also don't really understand why CSF didn't block 173.193.227.78 sooner from trying to get in. I do see 173.193.227.78 in the csf.deny log. I guess that's more of a question for the CSF people.

    I also got an e-mail message saying my hostname changed. But in WHM, I went to change it back and it said it was the same as it was...

    Looking in the access_log file, I see:

    Code:
    184.168.224.94 - root [01/19/2016:03:53:54 -0000] "GET /json-api/sethostname?hostname=jetbbs.secureserver.net HTTP/1.1" 200 0 "" "Python-urllib/2.6" "accesshash"
    
    ...
    
    184.168.224.94 - root [01/21/2016:23:34:00 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
    184.168.224.94 - root [01/21/2016:23:35:41 -0000] "GET /json-api/sethostname?hostname=franklin.mydomain.com HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
    
    ...
    
    184.168.224.94 - root [01/24/2016:06:27:30 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
    
    ...
    
    184.168.224.94 - root [01/27/2016:02:33:51 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
    184.168.224.94 - root [01/27/2016:02:33:58 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
    184.168.224.94 - root [01/27/2016:02:34:06 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
    184.168.224.94 - root [01/27/2016:02:34:09 -0000] "GET /login/?user=root&pass=__HIDDEN__ HTTP/1.1" 401 0 "" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
    NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-" "-" 2087
    
    
    etc.
    
    
    Could that IP address be GoDaddy and for some reason, they're logging into my server without telling me to do stuff? Or could it be cPanel? This kind of worries me. If it is GoDaddy, I'd like to think that they could at least let me know that they log in and do stuff. Getting a little worried here.
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I see more recent stuff from other IP addresses, like this:
    Code:
    173.193.227.78 - - [02/20/2016:01:12:43 -0000] "GET / HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:47 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    173.193.227.78 - jetbbs [02/20/2016:01:12:47 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
    
    These IPs aren't mine. Are these IPs from people trying to hack into my site?
     
  3. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    322
    Likes Received:
    23
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,
    I can see that the IP is with GoDaddy ISP. You can check at ip-tracker.org

    You can contact them for further.
     
    Spork Schivago likes this.
  4. ElviCities

    ElviCities Member

    Joined:
    Aug 9, 2012
    Messages:
    15
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    It looks like script-kiddy using a godaddy hosted server/vps accessed your server. The fact that you had a bunch of failed login attempts, then a successful once is quite worrisome.
    A reinstall of your server most likely is warranted, since it has been compromised. Then be sure to have mod-sec installed with the latest rulesets.
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you SysSachin. I believe you're right. Someone seemed to of added that IP address to my csf.allow file. If I block it, GoDaddy's server backup fails. How can I tell if the IP address belongs to actual GoDaddy vs a GoDaddy customer? I noticed if, in ip-tracker.org, I type my domain's IP address and I see the GoDaddy stuff...I get a lot of traffic from IP addresses that show GoDaddy in the ip-tracker.org site. Just hard to tell which ones are GoDaddy and which ones are people who rent servers from GoDaddy.

    I tried contacting them via abuse@godaddy.com but never got a reply. Perhaps if I contact them via on-line chat, I could get an answer as to what IPs I should always allow through the firewall. Thanks!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You will need to contact their technical support department to have them verify if it's an IP address of one of their staff members.

    Thank you.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    268
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Gotcha. I will contact them now and see if they can give me a list of IPs that I should whitelist.
     
Loading...

Share This Page