WHM/cPanel root access alert from unrecognizable IP address.

ameran

Member
Jan 31, 2016
8
0
1
USA
cPanel Access Level
Website Owner
Hi,
I have received the message listed below, that my server was accessed by an IP address, which I can not recognize. I looked on the internet and this kind of IP address could not be recognized. Does anyone know if this is okay or I should be worried about that? I really appreciate it.

lfd on server.mydomain.com: WHM/cPanel root access alert from 10.2.0.11 (-/-/-)

Thanks,
ameran
 

ameran

Member
Jan 31, 2016
8
0
1
USA
cPanel Access Level
Website Owner
Spork Schivago,
What do you mean that the IP is spoofed? And, who could use a Class A IP to access my Root? I really appreciate any explanation, that I can understand this.

Thanks,
ameran
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello :),

Do you have setup private network on your server? You can check this with ifconfig command, check if you have any private IP added on your server. If you have private IP on your server, then please ask your DC to check 10.2.0.11 IP on their network
 

ameran

Member
Jan 31, 2016
8
0
1
USA
cPanel Access Level
Website Owner
24x7Server,
Thank you for your respond. I did run the command ifconfig and I didn't find anything about the private IP address. Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

Best,
ameran
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Spork Schivago,
What do you mean that the IP is spoofed? And, who could use a Class A IP to access my Root? I really appreciate any explanation, that I can understand this.

Thanks,
ameran
Ameran,

Don't mistake Class A IP addresses from Class A Private IP addresses. Anyone with a Class A IP address could try to access your account, but with any private IP address, whether it's Class A, Class B or Class C, if you're seeing them in your logs, they're either from a computer connected on the local area network (also referred to as an internal network) or their spoofed. In your case, it was from the hosting provider connected to the same network as your PC.

I'm glad you figured it out. I too have my hosting provider connecting to my machine to do various things. I hope I didn't confuse you with my explanation. If you'd like more information on what a private IP address is and why they're used, you can check out this link here: What is a Private IP Address?

Thanks.
 

syslint

Well-Known Member
Verifed Vendor
Oct 9, 2006
268
7
168
India
cPanel Access Level
Root Administrator
Twitter
As your server provider said , it is their local IP . But it is not good to update your server without informing you. Are you sure they accessed for updation !!!!! :eek:
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.
Hello :)

I am happy to see you were able to determine the source of those login entries. Thank you for updating us with the outcome.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
As your server provider said , it is their local IP . But it is not good to update your server without informing you. Are you sure they accessed for updation !!!!! :eek:
if it is a "managed" server you almost expect them to do the updates. If it is an "unmanaged" server then I might be concerned.

Of course you can check the bash history, /var/log/secure, /var/log/yum.log, and other relevant logs if you are concerned.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
24x7Server,
Thank you for your respond. I did run the command ifconfig and I didn't find anything about the private IP address. Then, I contacted my server provider. They told me that these private IPs are from their internal networks. They login to servers when any updates needs to be done. I guess, I should not be worried anymore.

Best,
ameran
Yes, Don't worry about this login alert, Might be they have updated glibc package on your server.

Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
CVE-2015-0235 GHOST - cPanel Knowledge Base - cPanel Documentation
cPanel Security Team: glibc CVE-2015-7547