The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone Login in my WHM, it was not me!

Discussion in 'Security' started by Slatko, Feb 16, 2011.

  1. Slatko

    Slatko Member

    Joined:
    Jan 21, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hello
    Today i get an Email someone Login in WHM as Root, but it was not me :eek::eek::eek::eek:
    I check the IP this was from germany same City how me:confused:

    First i change in WHM the Root Password than i delete my ssh keys.
    And make an Reboot, after Reboot i Log me in SSH and change again the root password and make again an Reboot:rolleyes:

    So than i go in WHM and check what he has done,
    I found only one what he has done. Change the Automatic Updates to Disable :confused::confused:
    Maybe its an Security Failure in Cpanel and he dont want that i update it or he has not enough time to do more.
    He has only 1-2 minutes time (than i change password and all).
    I has make an Clamav rkhunter chkrootkit Scan all shows ok :D

    I use IDF so it was not an Bruteforce Attack !!!
    How he get in my WHM?????
    I use Ubuntu only to manage my Servers.
    My Wlan i has check nobody other has use it (and when he use it it was not an other ip as mine).

    Know anybody how he get in my WHM by first try?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    He had to know your password or have the same SSH key as you did. Are you certain you didn't provide the password to anyone? You are going to have to scan your local system where you normally log into WHM for any possible trojans or malware to see if there's a possible infection. Even if it is Ubuntu, it's possible that there is something that logged your password and allowed this user to have it.

    Also, did you ever provide the password to anyone else in the past to assist with updates or administration on the server?

    I do suggest blocking that IP that the user logged into the machine in your firewall as well.
     
  3. Slatko

    Slatko Member

    Joined:
    Jan 21, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Thank you
    The IP i has Blocking directly.
    I install my Ubuntu tomorrow or maybe later new.
    Yes i give an friend the Password, he using Windows7 and has make an Virus Scan.
    I has check everything, only what was change was that the Automatic Updates to Disable.
    And in my Logs on the Server i found the IP only in IDF Log where stand Login.
    My Wlan i has check, nobody was in (because maybe he get it with ethercap or wireshark).
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I'd have to think it might be your friend's system then that was the issue even if the virus scan didn't return anything, especially since you don't control his system directly to see what might have happened on it.

    One additional suggestion I have here is that you can give your friend a wheel group user that can sudo su - to root and then make that user a reseller with full root privileges in WHM's Resellers area. I'd give him that password in the future if you need to provide access rather than the root password. This way, if that user is the issue rather than the root user next time for an invalid login from a non-authorized IP, you can see it was that user instead of root to narrow it down.

    You can also use WHM > Host Access Control area to block sshd and whostmgrd services from any IPs other than those you authorize, preventing anyone who isn't at an approved IP from getting onto the machine in root SSH and/or WHM entirely. Please note that the allow lines for the IP must be above the deny lines in Host Access Control area. If you have any questions on using that area, please let us know.
     
  5. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    there are many other features available which we can block but none of them are working except sshd

    i have tried to block my own IP for ftp service, still i can able to connect ftp server even my ip blocked

    what could be the reason ??
     
Loading...

Share This Page