The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unathorized scanning detected.

Discussion in 'Security' started by frigid, Feb 10, 2015.

  1. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I received an e-mail from AT&T telling me my cpanel has been sending out attempts to remote to other computers. I've had modsecurity and cxswatch updated and running on here for over a year and neither caught anything. I also did a scan with rkhunter and configserver exploit scanner and neither came up with anything. My firewall is set to block pretty much anything outbound other than general things like port 80, 443, and so on. Is there any way to tell which account is the culprit as I don't see any unusual activity on any of them but it's hard to go through a couple hundred domains and manually look at the files.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you be more specific? Without the actual domain name or any other identifiable details, can you share that email itself here please?
     
  3. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sure. The problem is they won't give me a domain, just the IP of my server.

    But here is the e-mail:

     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Usually when I receive reports like this, the first thing I do is run 'ps faux' and look at all running processes. Often you'll find something running as an unprivileged user with a spoofed process name, i.e. crond, /usr/bin/host, something "out of place" that a normal user wouldn't be running.

    It's a lot harder to track down if the process isn't currently ongoing.
     
  5. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That's what I was afraid of. It seems to happen every other day and since they don't give me a time it's proving to be nearly impossible to track down. I'm going to see if I see anything strange in the connection logs (people connecting from out of the country and the like).
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's really weak that they're not giving you logs; most abuse reports are considered worthless without time stamped logs of the allegedly abusive connections.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Who is your servers Hosting Provider, AT&T?
     
  8. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    What I pasted was all they gave me.

    Yes.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you link me to the AT&T web hosting portal where they offer cPanel please? I'm curious and want to take a peek at it.
     
  10. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Oh sorry I read that wrong. AT&T is providing me internet, we have our own CPanel server in house.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You are definitely entitled to ask them for logs. I know I would.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There is nothing in that email that mentions your cPanel server is doing anything incorrectly as far as I can tell.

    You're going to need to contact the abuse@ address mentioned in that email for more Info. I don't see how anyone here can help you with something you can't even be sure is happening other than this one email saying so.
     
  13. frigid

    frigid Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I forwarded them the e-mail asking for more info. It had the IP of the server in the e-mail subject but that's the only spot that mentions it.
     
Loading...
Similar Threads - Unathorized scanning detected
  1. keat63
    Replies:
    4
    Views:
    118
  2. Mr_Kings
    Replies:
    5
    Views:
    641

Share This Page