WHM/cPanel root access alert - Possible Hack

monkey64

Well-Known Member
Nov 6, 2011
103
4
68
cPanel Access Level
Root Administrator
CSF sent me this friendly email this morning:

Code:
lfd on myservername.com: 
WHM/cPanel root access alert from 141.0.32.125 (GB/United Kingdom/unknown.griffin.com)
It was surprising to say the least because I have allowed only 2 IP's root access and this is not one of them! I checked var/log/secure which does not show anything out of the ordinary in terms of root logins:

Code:
Oct 25 06:13:00 server atd[28703]: pam_unix(atd:session): session opened for user root by (uid=0)
Oct 25 06:13:36 server atd[28703]: pam_unix(atd:session): session closed for user root
Oct 25 18:04:46 server sshd[5030]: Accepted publickey for root from 123.456.789 port 50094 ssh2
Oct 25 18:04:46 server sshd[5030]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 25 18:04:47 server sshd[5030]: subsystem request for sftp
Oct 25 18:12:37 server sshd[6853]: Accepted publickey for root from 123.456.789 port 50222 ssh2
Oct 25 18:12:37 server sshd[6853]: pam_unix(sshd:session): session opened for user root by (uid=0)
CSF blocks any more than 5 failed logins to the main WHM login page, but my IP's are whitelisted. And my SSH access is secured by public keys.

/usr/local/cpanel/logs/access_log does not show anything apart from my work colleages accessign their webmail through Roundcube. I have changed the root login and blocked this IP but I am perplexed to say the least. And worried.

What else can I view to gain an understanding of what has happened and what action should I take?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Do you see this IP address in any other logs on your system (e.g. Apache access logs, /var/log/messages, cPanel error log)? Are you reviewing the same server mentioned in the email sent to you (some customers have multiple servers with alerts going to the same email address)?

Thank you.