The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server to server root login

Discussion in 'Security' started by CoreISP.net, Oct 14, 2010.

  1. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hello Folks,

    I have a, to me, strange issue with 2 of my servers.
    At almost exactly 1AM every day, one server logs in to the other server WHM as root.
    This goes one way, it's always server A connecting to server B. Never reversed.

    I have no idea why it does it. It doesnt store backups there, nor does it require any data from that server. No DNS cluster, no mySQL, nothing.
    All I did do was move some sites between those servers, terminated the account on the source server after the move. And even disregarding the move, it was not doing this before. It started doing it a couple of weeks ago and I cant recall any action on my part that would make it require a login to root WHM. No account moves have taken place anymore between those two.
    I cant really find the cron job responsible for this login, so i'm wondering what this is.

    Anyone got an idea what this may very well be or what I am possibly missing?
     
    #1 CoreISP.net, Oct 14, 2010
    Last edited: Oct 14, 2010
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    First of all, how do you know the one machine is logging into the other machine as root into WHM? What log or alert is telling you this is happening? Please provide the data on what it is showing.

    There is an access log for WHM at /usr/local/cpanel/logs/access_log area, so if that machine is actually logging into the other machine for WHM, it should show up there as well.
     
  3. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hi,

    LFD firewall is showing me the notification. WHM Root alert.

    I looked it up in the log and it seems to be listing accounts.

    66.79.167.*** - root [10/24/2010:23:00:09 -0000] "GET /xml-api/listaccts HTTP/1.1" 200 0 "" ""
    66.79.167.*** - root [10/24/2010:23:00:09 -0000] "GET /xml-api/showbw HTTP/1.1" 200 0 "" ""

    And it does that every day.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It's using the xml-api calls, which is a way to get data from WHM. It's getting the account list and bandwidth. Are you certain you don't have a script on the one server set to grab data from the other server? Check your cron jobs in /var/log/cron on the server logging into the other one around that time as it's likely being called by a cron job.
     
Loading...

Share This Page