WHM/cPanel root access alert from unrecognizable IP address.

[ameran]

Hi,
I have received the message listed below, that my server was accessed by an IP address, which I can not recognize. I looked on the internet and this kind of IP address could not be recognized. Does anyone know if this is okay or I should be worried about that? I really appreciate it.

lfd on server.mydomain.com: WHM/cPanel root access alert from 10.2.0.11 (-/-/-)

Thanks,
ameran

 

[Spork Schivago]

I believe 10.2.0.11 is a class A private IP address and cannot be used on the internet. Only on a local network. Perhaps the IP is spoofed?

 

[ameran]

Spork Schivago,
What do you mean that the IP is spoofed? And, who could use a Class A IP to access my Root? I really appreciate any explanation, that I can understand this.

Thanks,
ameran

 

[24x7server]

Hello ,

Do you have setup private network on your server? You can check this with ifconfig command, check if you have any private IP added on your server. If you have private IP on your server, then please ask your DC to check 10.2.0.11 IP on their network

 

[ameran]

24x7Server,
Thank you for your respond. I did run the command ifconfig and I didn't find anything about the private IP address. Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

Best,
ameran

 

[Spork Schivago]

Spork Schivago,
What do you mean that the IP is spoofed? And, who could use a Class A IP to access my Root? I really appreciate any explanation, that I can understand this.

Thanks,
ameran

Ameran,

Don't mistake Class A IP addresses from Class A Private IP addresses. Anyone with a Class A IP address could try to access your account, but with any private IP address, whether it's Class A, Class B or Class C, if you're seeing them in your logs, they're either from a computer connected on the local area network (also referred to as an internal network) or their spoofed. In your case, it was from the hosting provider connected to the same network as your PC.

I'm glad you figured it out. I too have my hosting provider connecting to my machine to do various things. I hope I didn't confuse you with my explanation. If you'd like more information on what a private IP address is and why they're used, you can check out this link here: What is a Private IP Address?

Thanks.

 

[syslint]

As your server provider said , it is their local IP . But it is not good to update your server without informing you. Are you sure they accessed for updation !!!!!

 

[cPanelMichael]

Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

Hello

I am happy to see you were able to determine the source of those login entries. Thank you for updating us with the outcome.

 

[quizknows]

As your server provider said , it is their local IP . But it is not good to update your server without informing you. Are you sure they accessed for updation !!!!!

if it is a "managed" server you almost expect them to do the updates. If it is an "unmanaged" server then I might be concerned.

Of course you can check the bash history, /var/log/secure, /var/log/yum.log, and other relevant logs if you are concerned.

 

[24x7server]

24x7Server,
Thank you for your respond. I did run the command ifconfig and I didn't find anything about the private IP address. Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

Best,
ameran

Yes, Don't worry about this login alert, Might be they have updated glibc package on your server.

Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
CVE-2015-0235 GHOST - cPanel Knowledge Base - cPanel Documentation
cPanel Security Team: glibc CVE-2015-7547