The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious bot Cpanel-HTTP-Client hitting our server

Discussion in 'Security' started by caisc, Mar 4, 2017.

Tags:
  1. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Recently I have noticed a suspicious bot with user-agent "Cpanel-HTTP-Client" is hitting random sites on my server.

    Bot has random IP, one IP that i tracked down was -188.165.1.62its ovh.com IP from France.

    Here are few domlog entries for this -

    Code:
    192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /58A810076709351BB352D5A0F7A263A9.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /4BD8B306C063E8DB7E48005F1390263A.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /DF2BD665D1FB1672BDF4899ADB78D068.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /CCCBFFF482A7B1141E29B334DED8B533.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /7C87B9F2240EAC4147670392155C21BE.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /AD5E703D0406C3522A145EEACCD8BB28.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
    
    Is this a cpanel bot that is crawling the sites or some other fake bot?

    Thanks
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    So what I think is happening is, those are servers where the domain USED to reside on, and their AutoSSL checker is still running on the domains as they most likely still exist on that server, but since the DNS is pointing to your server they are now hitting your server.

    If you go to each IP:
    - Removed -

    You can see they are cPanel servers as well.

    Its safe to ignore them, they are not doing anything malicious, once the domains are removed from the old server, they will stop.
     
    #2 Jcats, Mar 4, 2017
    Last edited by a moderator: Mar 4, 2017
  3. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    @Jcats dont think so coz some domains are hosted with us since long time and never used OVH server. Random domains random bot IPs give me feel of a fake bot pretending to be from cpanel.
     
    #3 caisc, Mar 4, 2017
    Last edited: Mar 4, 2017
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Not sure what else it could be, I don't see the significance behind what they are trying to do. They are trying to find locations of scripts that are used to simply verify the ownership of a domain, even if they did hit on one of the files, it contains no information at all that can be used in anyway.

    Try grepping those IP's through all your domlogs and see if they are doing anything else, if it seems malicious just block the IPs.

    Code:
    # grep -r '192.151.150.194\|188.165.1.62' /usr/local/apache/domlogs/
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @caisc,

    Could you open a support ticket using the link in my signature so we can take a closer look at the log files to see what's happening? Please post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page