User Account Password Keeps Changing

[SDSurfer]

Issue: The user Cpanel and FTP account, let's call it main-account, password has changed twice in the last couple weeks, no one internally has changed it. I am able log in to WHM and reset it to a new password. No evidence of unauthorized modification of the account or files (YET!)

The details:

WHM 11.42.1 (build 5)
Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 (heartbleed patch applied)
Godaddy VPS

Two Cpanel accounts: one for the web site and the other is merely for redirection so we have control via .htaccess

Website architecture: All semi-static PHP with an (updated) Wordpress install at /blog. Fairly straightforward.

My experience level: Moderate to good experience with WHM, have at least 10 WHM/Cpanel installs/configurations at my disposal, mostly a mid-level site developer/programmer. I am not a systems administrator but know enough to get done what needs to get done (SSH, Install modules, set up SSL, install extensions, read logs, etc.) Been at it 17 years.

What I've tried: various searches and have a ticket in to support, but they have their hands full with heartbleed right now, no response as of yet.

What I know: This may be unrelated but the best I can find (see NOT a sysadmin) is requests to this URL:

[South Asia IP address] - main-account [04/09/2014:00:12:02 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "" "-"

It looks to me to be an attempt to hack at main-account's Cpanel login, but I don't know if it's even related.

It appears to be automated, every few seconds, and of course comes from several different IP's, all of which I've dropped

iptables -I INPUT -s [the ip address] -j DROP

That's obviously only a temporary fix, of course the IP's can change at any time.

The questions:

- Is there anything non-malicious that could cause a Cpanel account user's password to drop or change?

- If not, what's the best way to sort out how and when that password got changed or dropped?

- We're looking at "Limit logins to verified IP Addresses" under security. This site has no email (handled by MS Exchange server.) If we make use of this, are there any other services we need to be aware of other than CPanel and WHM?

- Once we find out HOW the password is getting changed, what's the best course of prevention?

Thank you in advance for any help you can provide.

 

[cPanelMichael]

Hello

Are you sure the password has actually been changed? For instance, is it possible the account was locked out by cPHulk brute force detection? You can check the cPHulk logs via the "Login/Brute Force History" tab in:

"WHM Home » Security Center » cPHulk Brute Force Protection"

Thank you.

 

[SDSurfer]

Hello
Are you sure the password has actually been changed? For instance, is it possible the account was locked out by cPHulk brute force detection? You can check the cPHulk logs via the "Login/Brute Force History" tab in:

Thank you, sorry, I guess I hadn't covered all details. My IP address is whitelisted in CPHulk. It has a 5 retry limit.

Typical scenario: I'm working on this site almost every day. Using Filezilla (see below) I'm FTP'ing changes over, no problem.

Next day I go to move files, Login fails. I go to the CP, attemt login, fails.

Go to WHM, reset the pass, it's fine.

Two days later, same thing.

As for FileZilla, it is NOT in Kiosk mode, no plain text passwords are stored. Require explicit FTP over TLS with proper keys. AVG/Malware is up to date, sure Filezilla is not the problem. I manage many other sites over WHM/Cpanel.

 

[cPanelMichael]

While it's possible the password is being changed due to an exploited server, it's likely a good idea to rule out any other causes first. Could you let us know if you notice any particular entries in /var/log/messages or /usr/local/cpanel/logs/login_log when the FTP and cPanel logins fail?

Thank you.

 

[SDSurfer]

While it's possible the password is being changed due to an exploited server, it's likely a good idea to rule out any other causes first. Could you let us know if you notice any particular entries in /var/log/messages or /usr/local/cpanel/logs/login_log when the FTP and cPanel logins fail?

Agreed, thank you! Although I'm not sure what I'm looking for, some of this may be superflous.

/var/log/messages, thousands of these, Presume those are system services (??):

Apr 7 02:11:04 [server-ip]9 pure-ftpd: (__cpanel__service__auth__ftpd__shJiS73gWuZMzbDRBC5AYx1QWTJMP5y6vJh_ytLzm4ygqI9ZM4bzr7N8oDzFUjjV$
Apr 7 02:16:03 [server-ip]9 pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1

Although the offending IP's don't show in messages, there are literally thousands, hundreds of thousands, of attempts for various user names. :-(

Apr 1 03:43:40 [server-ip]9 pure-ftpd: ([email protected][suspicious IP]) [INFO] New connection from [suspicious IP]
Apr 1 03:43:46 [server-ip]9 pure-ftpd: ([email protected][suspicious IP]) [WARNING] Authentication failed for user [[email protected]]

For my IP, this is one of the instances of failed logins. I manually scanned the log for the previous couple days, no sign of other users logging in.

Apr 7 14:31:45 [server ip] pure-ftpd: ([email protected][my ip address]) [WARNING] Authentication failed for user [main-account]
Apr 7 14:32:23 server ip] pure-ftpd: ([email protected][my ip address]) [WARNING] Authentication failed for user [main-account]

Immediately followed by a successful login after I reset the password via WHM.

/usr/local/cpanel/logs/login_log:

grep [one of the offending ip's] /usr/local/cpanel/logs/login_log

hundreds of entries for

[two of the offending ip's] - main-account [04/09/2014:00:11:56 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN cpaneld: brute force attempt (user main-account) has locked out IP [one of the offending ip's]

See above, dropped them via the ip tables; you will recognize that UEL from my previous post.

20 or so entries for

[different offending ip] - main-account [03/05/2014:21:04:03 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password

Although in one of the instances, it gives "locked out" then "login failed" then "locked out again.

I did see one entry for my IP that is confusing:

[my ip address] - main-account [04/07/2014:21:33:46 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN cpaneld: brute force attempt (user main-account) has locked out IP [my ip address]

How am I locked out? I am whitelisted in CPHulk, and even if it were a glitch with that, I'm vary aware it is set for max 5 failed logins, I don't recall failing more than once or twice, via CP, WHM, or SSH logins.

If there's any more queries or you'd like a zip of any logs, I'd be glad to provide them. Thanks again, first sign of progress here!

 

[SDSurfer]

Ack. Just re-checked the CPHulk settings. All entries removed, blacklist and whitelist, checked it just the other day.

 

[cPanelMichael]

Ack. Just re-checked the CPHulk settings. All entries removed, blacklist and whitelist, checked it just the other day.

Could you verify if the issue continues after re-adding your IP address to the whitelist?

Thank you.

 

[SDSurfer]

Well, I've been monitoring it daily, now I'll monitor the white/blacklist as well. It seems random, so far there are only the two instances I mentioned, the last being on the 7th, the first on (I believe) the 5th.