The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM login by Softlayer tech for no reason.What to look for ?

Discussion in 'Security' started by nyjimbo, May 9, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Last night CSF/LFD warned us that someone logged into our Cpanel WHM from an IP which is the tech support department of softlayer (where we get our servers). I didn't see anything in our tickets and so far nobody at Softlayer
    knows why this happened. They admit this is one of their tech department IP's. This is a edited LFD output.

    I went into the server via WHM and SSH and couldn't find anything unusual (no new accounts, no changed settings, no new passwd, groups, etc, nothing in tmp or anywhere else I could think of).

    So what I am wondering is what else can I check to see what they did or how long they were in there ? They didn't SSH or ftp, but they did go right into WHM with the correct password.

    I would like to find out more before someone at Softlayer starts changing things as it might just be a mistaken login or it could be someone at that company is using access to do something bad.

    thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can review the cPanel access log here:

    Code:
    /usr/local/cpanel/logs/access_log
    I suggest following up with them to have them investigate the source/reason for the login.

    Thank you.
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Right now they are thinking it was a tech error and they pulled up the wrong hardware info. I am seeing about 20 lines in the access_log and then nothing after it. All so far seem to be just logging in and out. Here is the output, not sure if it will format ok.

    Code:
    root@xxxxxx [/usr/local/cpanel/logs]# tail -n 8000 access_log| grep "75.125.126.8"
    75.125.126.8 - - [05/09/2014:01:33:24 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - root [05/09/2014:01:33:34 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1365963166/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/whm.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-username.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-password.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/cpanel-logo-tiny.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-info.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-success.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/warning.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:37 -0000] "GET /cPanel_magic_revision_1328806045/unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - root [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - - [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    75.125.126.8 - root [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
    root@xxxxxx [/usr/local/cpanel/logs]#
    That's all there is in access_log so I am leaning towards this being an error. I will wait for more info as Softlayer says they will try to dig deeper.
     
    #3 nyjimbo, May 9, 2014
    Last edited: May 9, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    From that log, it looks like all they did was log in. I'd definitely expect an explanation from them even if it's "sorry, I logged into the wrong server"
     
  5. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I agree with quizknows. I don't see anything odd within that log entry you posted, but they should definitely explain why they accessed your server (even if it was by accident).
     
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Softlayer admitted it was a mistake, "Sorry, wont happen again".
     
Loading...

Share This Page