The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious entry in access log

Discussion in 'General Discussion' started by walt, Oct 30, 2015.

  1. walt

    walt Member

    Joined:
    Oct 30, 2015
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, Tx
    cPanel Access Level:
    Website Owner
    Hello, I found the lines below in my access logs. I can't see these files and folders from my file manager, yet the http status codes for these accesses is 200. The strange thing is my-web-site is the referring site, and the agent could be my own browser, Firefox. However, the request originates from Bangladesh and I am in Houston. Sounds like a stupid question, but is this something I should be concerned about?

    I have a shared hosting account.

    Code:
    103.242.217.102 - - [19/Oct/2015:11:38:23 -0500] "GET /cpanel HTTP/1.1" 200 8994 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
    103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/contentbox.jpg HTTP/1.1" 200 8846 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
    103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/headerbg.jpg HTTP/1.1" 200 9366 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
    103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/bg.jpg HTTP/1.1" 200 508 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
    

    Code:
    [~]# grep '' /etc/redhat-release /usr/local/cpanel/version /var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql -V
    
    grep: /etc/redhat-release: No such file or directory
    /usr/local/cpanel/version:11.48.4.7
    /var/cpanel/envtype:standard
    grep: /etc/cpupdate.conf: No such file or directory
    -jailshell: httpd: command not found
    PHP 5.4.45 (cli) (built: Oct  5 2015 15:35:12)
    Copyright (c) 1997-2014 The PHP Group
    Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
      with the ionCube PHP Loader v4.7.4, Copyright (c) 2002-2014, by ionCube Ltd., and
      with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies
    mysql  Ver 14.14 Distrib 5.5.42-37.1, for Linux (x86_64) using readline 5.1
    
    
     
  2. madmanmachines

    madmanmachines Well-Known Member

    Joined:
    Nov 28, 2014
    Messages:
    94
    Likes Received:
    3
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    You are obtaining this from '/usr/local/apache/logs/access_log'. This logs requests to the server hostname, IP, or domains that resolve to the server, but have no vhost. If you take your server IP, and add the URI's above, you'll see these are cPanel files. Your domain logs are located at '/usr/local/apache/domlogs/'.

    Thanks,
     
  3. walt

    walt Member

    Joined:
    Oct 30, 2015
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, Tx
    cPanel Access Level:
    Website Owner
    Apologies, I have had this account for years, and am just now trying to understand it and manage it better.

    My top most access in file manager is /home2/myusername/.
    The logs above were in the folder /home2/myusername/logs .

    I did try going to the resources listed in the log, for example:
    my-site.com/img-sys/contentbox.jpg
    and I do see the images that appear to be parts of a cPanel page.

    I'm wondering why they are accessible by just appending the URI to my web address,
    when I cannot even see these resources listed in my file manager. Also I appear to have no control on the accessibility of these resources from outside. For example mod_rewrite rules in the .htaccess file* don't seem to have any effect:
    Code:
    RewriteRule ^(.*)cpanel(.*)$ - [F,L]
    RewriteRule ^(.*)img-sys(.*)$ - [F,L]
    
    For now I have banned the IP address, but it doesn't seem like a good enough solution.
    What else might be accessible from outside, that I do not see listed in file manager? How can I trust my site?

    Apologies for the ramble.

    *The .htaccess file was in the public directory, I haven't tried modifying the htaccess in the home directory for fear I might break something.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's important to keep in mind that you have limited control over the Apache configuration because you do not have root access to this server. You can report this issue to your web hosting provider if it's behavior you want them to help you to avoid.

    Thank you.
     
  5. walt

    walt Member

    Joined:
    Oct 30, 2015
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, Tx
    cPanel Access Level:
    Website Owner
    Hello, thanks for your input. I was hoping for a definite answer, for example: "What you are experiencing is not normal/ is a security risk/is ok because... ".

    best support I was able to get from my provider, was:
    "What happens when you go to address: http://my-web-site.com/cpanel"

    I responded but haven't heard back in days. However, the answer is becoming clear, upgrade from shared hosting.
    Also have to apologize to the author of the previous answer, I did not understand it.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The information in the logs does not indicate a security risk. The access attempts are not on sensitive files, but you can report the issue to your hosting provider if you are concerned about the security of the server.

    Thank you.
     
    walt likes this.
Loading...

Share This Page