Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM login by Softlayer tech for no reason.What to look for ?

Discussion in 'Security' started by nyjimbo, May 9, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,129
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Last night CSF/LFD warned us that someone logged into our Cpanel WHM from an IP which is the tech support department of softlayer (where we get our servers). I didn't see anything in our tickets and so far nobody at Softlayer
    knows why this happened. They admit this is one of their tech department IP's. This is a edited LFD output.

    I went into the server via WHM and SSH and couldn't find anything unusual (no new accounts, no changed settings, no new passwd, groups, etc, nothing in tmp or anywhere else I could think of).

    So what I am wondering is what else can I check to see what they did or how long they were in there ? They didn't SSH or ftp, but they did go right into WHM with the correct password.

    I would like to find out more before someone at Softlayer starts changing things as it might just be a mistaken login or it could be someone at that company is using access to do something bad.

    thanks.
     
    #1 nyjimbo, May 9, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,713
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can review the cPanel access log here:

    Code:
    /usr/local/cpanel/logs/access_log
    I suggest following up with them to have them investigate the source/reason for the login.

    Thank you.
     
    #2 cPanelMichael, May 9, 2014
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,129
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Right now they are thinking it was a tech error and they pulled up the wrong hardware info. I am seeing about 20 lines in the access_log and then nothing after it. All so far seem to be just logging in and out. Here is the output, not sure if it will format ok.

    Code:
    root@xxxxxx [/usr/local/cpanel/logs]# tail -n 8000 access_log| grep "75.125.126.8"
75.125.126.8 - - [05/09/2014:01:33:24 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:34 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1365963166/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/whm.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-username.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-password.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/cpanel-logo-tiny.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-info.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-success.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/warning.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:37 -0000] "GET /cPanel_magic_revision_1328806045/unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
root@xxxxxx [/usr/local/cpanel/logs]#
    That's all there is in access_log so I am leaning towards this being an error. I will wait for more info as Softlayer says they will try to dig deeper.
     
    #3 nyjimbo, May 9, 2014
    Last edited: May 9, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    From that log, it looks like all they did was log in. I'd definitely expect an explanation from them even if it's "sorry, I logged into the wrong server"
     
    #4 quizknows, May 9, 2014
  5. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I agree with quizknows. I don't see anything odd within that log entry you posted, but they should definitely explain why they accessed your server (even if it was by accident).
     
    #5 cPanelPeter, May 11, 2014
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,129
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Softlayer admitted it was a mistake, "Sorry, wont happen again".
     
    #6 nyjimbo, May 11, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - login Softlayer tech
  1. dstana

    SOLVED cPanel Login Issue

    dstana, Apr 25, 2018 at 11:54 AM, in forum: General Discussion
    Replies:
    3
    Views:
    29
    cPanelMichael
    Apr 25, 2018 at 1:39 PM
  2. abuujurayj

    I can't login in my application after activating htaccess

    abuujurayj, Apr 23, 2018 at 4:09 PM, in forum: General Discussion
    Replies:
    9
    Views:
    82
    abuujurayj
    Apr 24, 2018 at 2:19 PM
  3. Oualid

    Excessive number of failed login

    Oualid, Apr 20, 2018 at 2:51 PM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    42
    cPanelLauren
    Apr 20, 2018 at 3:01 PM
  4. kalexan

    Cannot enable cPanelid login

    kalexan, Apr 19, 2018 at 6:48 AM, in forum: General Discussion
    Replies:
    3
    Views:
    53
    cPanelLauren
    Apr 20, 2018 at 6:53 AM
  5. gildas

    Error during auto-login on phpmyadmin

    gildas, Apr 6, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    51
    cPanelMichael
    Apr 6, 2018

Share This Page