The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM/cPanel root access alert - Possible Hack

Discussion in 'General Discussion' started by monkey64, Oct 25, 2013.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    CSF sent me this friendly email this morning:

    Code:
    lfd on myservername.com: 
    WHM/cPanel root access alert from 141.0.32.125 (GB/United Kingdom/unknown.griffin.com)
    
    It was surprising to say the least because I have allowed only 2 IP's root access and this is not one of them! I checked var/log/secure which does not show anything out of the ordinary in terms of root logins:

    Code:
    Oct 25 06:13:00 server atd[28703]: pam_unix(atd:session): session opened for user root by (uid=0)
    Oct 25 06:13:36 server atd[28703]: pam_unix(atd:session): session closed for user root
    Oct 25 18:04:46 server sshd[5030]: Accepted publickey for root from 123.456.789 port 50094 ssh2
    Oct 25 18:04:46 server sshd[5030]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Oct 25 18:04:47 server sshd[5030]: subsystem request for sftp
    Oct 25 18:12:37 server sshd[6853]: Accepted publickey for root from 123.456.789 port 50222 ssh2
    Oct 25 18:12:37 server sshd[6853]: pam_unix(sshd:session): session opened for user root by (uid=0)
    
    CSF blocks any more than 5 failed logins to the main WHM login page, but my IP's are whitelisted. And my SSH access is secured by public keys.

    /usr/local/cpanel/logs/access_log does not show anything apart from my work colleages accessign their webmail through Roundcube. I have changed the root login and blocked this IP but I am perplexed to say the least. And worried.

    What else can I view to gain an understanding of what has happened and what action should I take?
     
    #1 monkey64, Oct 25, 2013
    Last edited: Oct 25, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you see this IP address in any other logs on your system (e.g. Apache access logs, /var/log/messages, cPanel error log)? Are you reviewing the same server mentioned in the email sent to you (some customers have multiple servers with alerts going to the same email address)?

    Thank you.
     
Loading...

Share This Page