Understanding abusive access attempts in logs

Jan 1, 2019
6
2
3
Ahmedabad
cPanel Access Level
Root Administrator
I am getting many whm panel hacking attempts, ip address is from Linode (hosting website), However when I block the ip address they start attack with new ip address ,See logs below:

Code:
    198.58.xxx.xx - - [06/27/2019:09:16:47 -0000] "#ST" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:49 -0000] "
    nbei" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:50 -0000] " 400 0 "-" "-" "-" "-" 2086
    127.0.0.1 - - [06/27/2019:09:16:54 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:53 -0000] "GET / HTTP/1.0" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:55 -0000] "OPTIONS / HTTP/1.0" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:57 -0000] "OPTIONS / RTSP/1.0" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:16:58 -0000] "�(r����|" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:00 -0000] "versionbind" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:01 -0000] "
    " 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:03 -0000] "HELP" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:04 -0000] "SO?G���,��`~���{�Ֆ�w����<=�o�n(" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:06 -0000] "*%�Cookie: mstshash=beio" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:07 -0000] "ieU��random1random2random3random4
    /" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:09 -0000] "qj�n0�k��" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:10 -0000] "��[email protected]@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:12 -0000] "l
    " 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:13 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:15 -0000] "default" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:16 -0000] "0�-c�$" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:18 -0000] "0
    `�" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:19 -0000] "OPTIONS sip:nm SIP/2.0" 301 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:20 -0000] "TNMPTNME" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:21 -0000] "
    �" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:23 -0000] "DmdT��" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:24 -0000] ":/@=/@" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:26 -0000] "JRMI" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:27 -0000] "���
    ��MMS����
    NSPlayer/9...98; {AA-A-a-AAA-AAAAA}�m�" 401 0 "-" "-" "-" "-" 2086

    ==> /usr/local/cpanel/logs/error_log <==
    [2019-06-27 05:17:29 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, <GEN791> line 1.
    cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729
    cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267
    cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090
    cpanel::cpsrvd::script() called at cpsrvd.pl line 422

    ==> /usr/local/cpanel/logs/access_log <==
    198.58.xxx.xx - - [06/27/2019:09:17:29 -0000] "Z6 :�(CONNECT_DATA=(COMMAND=version)" 401 0 "-" "-" "-" "-" 2086

    ==> /usr/local/cpanel/logs/error_log <==
    [2019-06-27 05:17:30 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, <GEN792> line 1.
    cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729
    cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267
    cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090
    cpanel::cpsrvd::script() called at cpsrvd.pl line 422

    ==> /usr/local/cpanel/logs/access_log <==
    198.58.xxx.xx - - [06/27/2019:09:17:30 -0000] "4
    UMSSQLServerH" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:32 -0000] "" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:33 -0000] "GIOP$abcdefget" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:35 -0000] "��+<M��nonebeio" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:36 -0000] " 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:38 -0000] "�[email protected]=iqn.1991-05.com.microsoft:beio-iscsi-probeSessionType=DiscoveryAuthMethod=None" 400 0 "-" "-" "-" "-" 2086
    198.58.xxx.xx - - [06/27/2019:09:17:39 -0000] "�ANY-SCPFINDSCU1.2.840.10008.3.1.1.1 [email protected]:[email protected]
    CharruaVist" 401 0 "-" "-" "-" "-" 2086

    ==> /usr/local/cpanel/logs/error_log <==
    [2019-06-27 05:17:41 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, <GEN799> line 1.
    cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729
    cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267
    cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090
    cpanel::cpsrvd::script() called at cpsrvd.pl line 422
 
Last edited by a moderator:

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I assume you are blocking with CSF firewall.
If they are all coming from 198.58.x.x, have you considered adding a class c block.

lets assume 198.58.3.x
try adding 198.58.3.0/24 # do not delete - add any comments to help identify why you set the rule
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @Prakash K. Lakhara,

While mitigating attacks falls outside our support scope, we can better point you in the right direction with access to the affected system. Can you open a support ticket so we can take a closer look and see what's happening? You can post the ticket number here once it's opened and I'll link this thread to it.

Thank you.