unknown ip in my access log

chanklish

Well-Known Member
May 22, 2015
63
0
6
kinshasa
cPanel Access Level
Root Administrator
hello awesome people
so i am checking my access log and i find several things and IP i do not know like - Removed - and such ..
what are these exactly ? i have 2FA,access host control only to my IP,cphulk and firewall enabled .. am i hacked?

- PDF file removed -
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Mod why was the attachment removed ? how can i show my log then ?!
My apologies, I don't know you and have no need to see something in pdf format. These days thats a bad idea all around. We don't need actual domain names or IP addresses posted to these forums. Please review this thread for more details:
Guide To Opening An Effective Forums Thread

If you suspect your server might have been compromised, you might want to hire someone to take a closer look for you:
System Administration Services | cPanel Forums

Analyzing a compromsed server on the forums is not the best way to go here, I don't think.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Please feel free to post a snip of the log output wrapped in bbcode code tags with partially obfuscated IP addresses. We don't know what the problem is, but there's no need to display the actual IPs from your log, on a public forum. (Even if it is a bad guy.)

That might be helpful here.
 

chanklish

Well-Known Member
May 22, 2015
63
0
6
kinshasa
cPanel Access Level
Root Administrator
hi infopro
these are two examples

Code:
139.194.12x.xxx - - [01/01/2017:16:30:27 -0000] "GET /cPanel_magic_revision_1472153805/unprotected/cpanel/images/whm-logo_white.svg HTTP/1.1" 200 0 "https://server.example.com:2087/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087
139.194.12x.xxx - - [01/01/2017:16:30:27 -0000] "GET /cPanel_magic_revision_1472153805/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "https://server.example.com:2087/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087
139.194.12x.xxx - - [01/01/2017:16:30:27 -0000] "GET /cPanel_magic_revision_1472153805/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "https://server.example.com:2087/cPanel_magic_revision_1472153805/unprotected/cpanel/style_v2_optimized.css" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087
139.194.12x.xxx - - [01/01/2017:16:30:27 -0000] "GET /cPanel_magic_revision_1386192033/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.woff HTTP/1.1" 200 0 "https://server.example.com:2087/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087
139.194.12x.xxx - - [01/01/2017:16:30:28 -0000] "GET /cPanel_magic_revision_1386192033/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.woff HTTP/1.1" 200 0 "https://server.example.com:2087/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087

Code:
71.6.146.xxx - - [12/27/2016:20:39:17 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-" "-" 2083
- - - [12/27/2016:20:39:18 -0000] "-" 301 0 "" "-" "-" "-" 2082
- - - [12/27/2016:20:39:18 -0000] "-" 301 0 "" "-" "-" "-" 2082
- - - [12/27/2016:20:39:23 -0000] "-" 301 0 "" "-" "-" "-" 2082
127.0.0.1 - - [12/27/2016:20:40:20 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "" "-" "-" "-" 2086
127.0.0.1 - - [12/28/2016:03:56:56 -0000] "GET / HTTP/1.1" 401 0 "" "HTTP-Tiny/0.058" "-" "-" 2086
66.240.219.xxx - - [12/28/2016:07:24:02 -0000] "GET / HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" "-" "-" 2086
66.240.219.xxx - - [12/28/2016:07:24:05 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-" "-" 2087
139.194.12x.xxx - - [01/01/2017:16:30:28 -0000] "GET /cPanel_magic_revision_1472153805/unprotected/cpanel/images/cp-logo_white.svg HTTP/1.1" 200 0 "https://server.example.com:2087/cPanel_magic_revision_1472153805/unprotected/cpanel/style_v2_optimized.css" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" "-" 2087
 
Last edited by a moderator:

chanklish

Well-Known Member
May 22, 2015
63
0
6
kinshasa
cPanel Access Level
Root Administrator
Have you noticed the dates on these entries?
yes but i have similar entries in 2019
Code:
172.104.133.xxx - - [12/10/2018:17:04:38 -0000] "-" 401 0 "-" "-" "-" "-" 2083
172.104.133.xxx - - [12/10/2018:17:04:39 -0000] "-" 401 0 "-" "-" "-" "-" 2083
Code:
46.188.107.xxx - - [12/10/2018:23:35:49 -0000] "-" 401 0 "-" "-" "-" "-" 2083
176.14.10.xx - - [12/10/2018:23:35:51 -0000] "-" 401 0 "-" "-" "-" "-" 2083
Code:
95.28.230.1xx - - [12/12/2018:13:18:44 -0000] "-" 401 0 "-" "-" "-" "-" 2083
128.72.43.xx7 - - [12/12/2018:13:18:44 -0000] "-" 401 0 "-" "-" "-" "-" 2087
46.42.129.xxx - - [12/12/2018:13:18:44 -0000] "-" 401 0 "-" "-" "-" "-" 2083
188.244.34.1xx - - [12/12/2018:13:18:44 -0000] "-" 401 0 "-" "-" "-" "-" 2087
176.193.125.xx - - [12/12/2018:13:18:44 -0000] "-" 401 0 "-" "-" "-" "-" 2096
37.204.192.1xx - - [12/12/2018:13:18:50 -0000] "-" 401 0 "-" "-" "-" "-" 2083