The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

someone logged into WHM via root and it wasn't me.

Discussion in 'General Discussion' started by betoranaldi, Jul 23, 2009.

  1. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I got an lfd alert late last night that someone logged into WHM with root access late last night.

    Everything seems in order but is there anyway I can tell (by looking in logs, etc.) if anything was changed?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might start by checking the exact time on the email against the time of night cpupdates run.
    (and of course change your password just to be sure you're locked down well)
     
  3. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Sorry for the foolish question but how do I find out what time cpupdates runs? Is that a setting somewhere?

    The first thing I did was change my password :)
     
  4. DolphinEcho

    DolphinEcho Registered

    Joined:
    Jul 11, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    In the email from LFD there should of been an IP address, have you checked the location and then take it from there. You can check an IP location and somewhere like DNSstuff

    Was your old password an easy to guess one ?
    Do you know if they did anything like delete or add an account ?

    I presume they was referring to UPCP. When UPCP runs on my server, I normally get an email once it finished.
     
    #4 DolphinEcho, Jul 23, 2009
    Last edited: Jul 23, 2009
  5. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    The first thing I checked was the location of the IP address. It showed up as being only a town away from where I am located.

    Doing a search with DNSstuff just now revealed that it actually occurred from my place of employment (very interesting since I was defiantly at home when the "breach" occurred.)

    My password was very secure and I change it ever other month.

    With the additional information I received with DNSstuff I feel a little better about the whole thing.

    It will still be nice if I could figure out if anything major was done. There are no additional accounts or services added. and my SSH password auth remained off. Is there a way I can clear all keys for ssh?
     
  6. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Hi ,

    1) First you need to change the root password.

    2) Check the logs thoroughly .

    3) Scan the server using latest scanning tools.

    4) Try to find out what all things that guy did.

    Hope that you have disabled direct root login in the server.
     
  7. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Yes, direct root login has been disabled.

    I still need to skim through the logs, do you have any suggestions where I should start to look first?

    I work for a rather large company so I am leaning to believe that it was just an IT guy fooling around and just seeing if it would actually work. They do monitor network traffic/computer usage at the office.
     
  8. Janak

    Janak Well-Known Member

    Joined:
    Jul 18, 2009
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    6
    I think you should probably look into cPanel access logs. The location of cPanel logs would be /usr/local/cPanel/logs/access_log

    Thanks!
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Actually cpanel is entirely lowercase in that path ;).
     
  10. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Yes it is :)

    After looking through the rather large (166mb) access_log file. I don't see any access at the time, from the ip that the email had indicated.

    I didn't get any shell login notifications and no new accounts were created.

    Could it be just a fluke?

    Thanks
    Brian
     
  11. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Might be best to ask the folks who make lfd if it is a fluke: ConfigServer Services
     
Loading...

Share This Page