The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM/cPanel root access alert from unrecognizable IP address.

Discussion in 'Security' started by ameran, Feb 20, 2016.

  1. ameran

    ameran Member

    Joined:
    Jan 31, 2016
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Hi,
    I have received the message listed below, that my server was accessed by an IP address, which I can not recognize. I looked on the internet and this kind of IP address could not be recognized. Does anyone know if this is okay or I should be worried about that? I really appreciate it.

    lfd on server.mydomain.com: WHM/cPanel root access alert from 10.2.0.11 (-/-/-)

    Thanks,
    ameran
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I believe 10.2.0.11 is a class A private IP address and cannot be used on the internet. Only on a local network. Perhaps the IP is spoofed?
     
  3. ameran

    ameran Member

    Joined:
    Jan 31, 2016
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Spork Schivago,
    What do you mean that the IP is spoofed? And, who could use a Class A IP to access my Root? I really appreciate any explanation, that I can understand this.

    Thanks,
    ameran
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    Do you have setup private network on your server? You can check this with ifconfig command, check if you have any private IP added on your server. If you have private IP on your server, then please ask your DC to check 10.2.0.11 IP on their network
     
  5. ameran

    ameran Member

    Joined:
    Jan 31, 2016
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    24x7Server,
    Thank you for your respond. I did run the command ifconfig and I didn't find anything about the private IP address. Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

    Best,
    ameran
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Ameran,

    Don't mistake Class A IP addresses from Class A Private IP addresses. Anyone with a Class A IP address could try to access your account, but with any private IP address, whether it's Class A, Class B or Class C, if you're seeing them in your logs, they're either from a computer connected on the local area network (also referred to as an internal network) or their spoofed. In your case, it was from the hosting provider connected to the same network as your PC.

    I'm glad you figured it out. I too have my hosting provider connecting to my machine to do various things. I hope I didn't confuse you with my explanation. If you'd like more information on what a private IP address is and why they're used, you can check out this link here: What is a Private IP Address?

    Thanks.
     
  7. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    As your server provider said , it is their local IP . But it is not good to update your server without informing you. Are you sure they accessed for updation !!!!! :eek:
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am happy to see you were able to determine the source of those login entries. Thank you for updating us with the outcome.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    if it is a "managed" server you almost expect them to do the updates. If it is an "unmanaged" server then I might be concerned.

    Of course you can check the bash history, /var/log/secure, /var/log/yum.log, and other relevant logs if you are concerned.
     
  10. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Yes, Don't worry about this login alert, Might be they have updated glibc package on your server.

    Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
    CVE-2015-0235 GHOST - cPanel Knowledge Base - cPanel Documentation
    cPanel Security Team: glibc CVE-2015-7547
     
Loading...

Share This Page