WHM login by Softlayer tech for no reason.What to look for ?

nyjimbo · May 9, 2014

Last night CSF/LFD warned us that someone logged into our Cpanel WHM from an IP which is the tech support department of softlayer (where we get our servers). I didn't see anything in our tickets and so far nobody at Softlayer
knows why this happened. They admit this is one of their tech department IP's. This is a edited LFD output.

Date: Thu, 08 May 2014 21:33:28 -0400
From: root@xxxxxxxxxxxxxxxxx.com
To: root@xxxxxxxxxxxxx.com
Subject: lfd on xxxxxxxxxxx.com: WHM/cPanel root access alert from 75.125.126.8 (US/United
States/isd01.hq.networklayer.com)

Time: Thu May 8 21:33:28 2014 -0400
IP: 75.125.126.8 (US/United States/isd01.hq.networklayer.com)
User: root
Click to expand...

I went into the server via WHM and SSH and couldn't find anything unusual (no new accounts, no changed settings, no new passwd, groups, etc, nothing in tmp or anywhere else I could think of).

So what I am wondering is what else can I check to see what they did or how long they were in there ? They didn't SSH or ftp, but they did go right into WHM with the correct password.

I would like to find out more before someone at Softlayer starts changing things as it might just be a mistaken login or it could be someone at that company is using access to do something bad.

thanks.

cPanelMichael · May 9, 2014

Hello

You can review the cPanel access log here:
Code:
/usr/local/cpanel/logs/access_log
I suggest following up with them to have them investigate the source/reason for the login.

Thank you.

nyjimbo · May 9, 2014

Right now they are thinking it was a tech error and they pulled up the wrong hardware info. I am seeing about 20 lines in the access_log and then nothing after it. All so far seem to be just logging in and out. Here is the output, not sure if it will format ok.

Code:

root@xxxxxx [/usr/local/cpanel/logs]# tail -n 8000 access_log| grep "75.125.126.8"
75.125.126.8 - - [05/09/2014:01:33:24 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:34 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1365963166/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/whm.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-username.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-password.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/cpanel-logo-tiny.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-info.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-success.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/warning.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:37 -0000] "GET /cPanel_magic_revision_1328806045/unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
root@xxxxxx [/usr/local/cpanel/logs]#

That's all there is in access_log so I am leaning towards this being an error. I will wait for more info as Softlayer says they will try to dig deeper.

quizknows · May 9, 2014

From that log, it looks like all they did was log in. I'd definitely expect an explanation from them even if it's "sorry, I logged into the wrong server"

cPanelPeter · May 11, 2014

Hello,

I agree with quizknows. I don't see anything odd within that log entry you posted, but they should definitely explain why they accessed your server (even if it was by accident).

nyjimbo · May 11, 2014

Softlayer admitted it was a mistake, "Sorry, wont happen again".

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM login by Softlayer tech for no reason.What to look for ?

nyjimbo Well-Known Member

cPanelMichael Forums Analyst
Staff Member

nyjimbo Well-Known Member

quizknows Well-Known Member

cPanelPeter Technical Analyst III
Staff Member

nyjimbo Well-Known Member

the access key found but it looks like logins not working, please regenerate it in whm error

Horde not listing mailboxes from default account login

How to use the "PIN" to login in the mobile app?

Login redirection to hostname issue

Support Ticket Login Issue

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM login by Softlayer tech for no reason.What to look for ?

nyjimbo Well-Known Member

cPanelMichael Forums Analyst Staff Member

nyjimbo Well-Known Member

quizknows Well-Known Member

cPanelPeter Technical Analyst III Staff Member

nyjimbo Well-Known Member

the access key found but it looks like logins not working, please regenerate it in whm error

Horde not listing mailboxes from default account login

How to use the "PIN" to login in the mobile app?

Login redirection to hostname issue

Support Ticket Login Issue

Share This Page

cPanelMichael Forums Analyst
Staff Member

cPanelPeter Technical Analyst III
Staff Member