Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM login by Softlayer tech for no reason.What to look for ?

Discussion in 'Security' started by nyjimbo, May 9, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,132
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Last night CSF/LFD warned us that someone logged into our Cpanel WHM from an IP which is the tech support department of softlayer (where we get our servers). I didn't see anything in our tickets and so far nobody at Softlayer
    knows why this happened. They admit this is one of their tech department IP's. This is a edited LFD output.

    I went into the server via WHM and SSH and couldn't find anything unusual (no new accounts, no changed settings, no new passwd, groups, etc, nothing in tmp or anywhere else I could think of).

    So what I am wondering is what else can I check to see what they did or how long they were in there ? They didn't SSH or ftp, but they did go right into WHM with the correct password.

    I would like to find out more before someone at Softlayer starts changing things as it might just be a mistaken login or it could be someone at that company is using access to do something bad.

    thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 nyjimbo, May 9, 2014
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,299
    Likes Received:
    2,155
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    You can review the cPanel access log here:

    Code:
    /usr/local/cpanel/logs/access_log
    I suggest following up with them to have them investigate the source/reason for the login.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, May 9, 2014
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,132
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Right now they are thinking it was a tech error and they pulled up the wrong hardware info. I am seeing about 20 lines in the access_log and then nothing after it. All so far seem to be just logging in and out. Here is the output, not sure if it will format ok.

    Code:
    root@xxxxxx [/usr/local/cpanel/logs]# tail -n 8000 access_log| grep "75.125.126.8"
75.125.126.8 - - [05/09/2014:01:33:24 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:34 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1365963166/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/whm.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-username.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-password.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/cpanel-logo-tiny.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-info.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-success.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/warning.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:37 -0000] "GET /cPanel_magic_revision_1328806045/unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
root@xxxxxx [/usr/local/cpanel/logs]#
    That's all there is in access_log so I am leaning towards this being an error. I will wait for more info as Softlayer says they will try to dig deeper.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 nyjimbo, May 9, 2014
    Last edited: May 9, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,008
    Likes Received:
    86
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    From that log, it looks like all they did was log in. I'd definitely expect an explanation from them even if it's "sorry, I logged into the wrong server"
     
    #4 quizknows, May 9, 2014
  5. cPanelPeter

    cPanelPeter Technical Analyst III Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    143
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I agree with quizknows. I don't see anything odd within that log entry you posted, but they should definitely explain why they accessed your server (even if it was by accident).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelPeter, May 11, 2014
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,132
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Softlayer admitted it was a mistake, "Sorry, wont happen again".
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 nyjimbo, May 11, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - login Softlayer tech
  1. durangod

    New Thread Double login on PW directories

    durangod, Jun 16, 2019 at 3:51 PM, in forum: Security
    Replies:
    0
    Views:
    83
    durangod
    Jun 16, 2019 at 3:51 PM
  2. pineyscripter

    New Thread WHM Terminal and sshd-config setting PermitRootLogin to no

    pineyscripter, Jun 16, 2019 at 10:33 AM, in forum: Security
    Replies:
    0
    Views:
    78
    pineyscripter
    Jun 16, 2019 at 10:33 AM
  3. ScottIsMyName

    Shell login notifications

    ScottIsMyName, Jun 6, 2019, in forum: Security
    Replies:
    5
    Views:
    217
    cPanelMichael
    Jun 10, 2019
  4. morrow95

    Pending Publication [CPANEL-25776] phpMyAdmin login issue since WHM 80 update

    morrow95, Jun 4, 2019, in forum: Database Discussion
    Replies:
    8
    Views:
    261
    morrow95
    Jun 8, 2019
  5. bloatedstoat

    SOLVED [CPANEL-27695] Failed to show template error400 in login theme

    bloatedstoat, May 31, 2019, in forum: General Discussion
    Replies:
    4
    Views:
    389
    cPanelMichael
    Jun 11, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice