The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM login by Softlayer tech for no reason.What to look for ?

Discussion in 'Security' started by nyjimbo, May 9, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Last night CSF/LFD warned us that someone logged into our Cpanel WHM from an IP which is the tech support department of softlayer (where we get our servers). I didn't see anything in our tickets and so far nobody at Softlayer
    knows why this happened. They admit this is one of their tech department IP's. This is a edited LFD output.

    I went into the server via WHM and SSH and couldn't find anything unusual (no new accounts, no changed settings, no new passwd, groups, etc, nothing in tmp or anywhere else I could think of).

    So what I am wondering is what else can I check to see what they did or how long they were in there ? They didn't SSH or ftp, but they did go right into WHM with the correct password.

    I would like to find out more before someone at Softlayer starts changing things as it might just be a mistaken login or it could be someone at that company is using access to do something bad.

    thanks.
     
    #1 nyjimbo, May 9, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,769
    Likes Received:
    1,144
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can review the cPanel access log here:

    Code:
    /usr/local/cpanel/logs/access_log
    I suggest following up with them to have them investigate the source/reason for the login.

    Thank you.
     
    #2 cPanelMichael, May 9, 2014
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Right now they are thinking it was a tech error and they pulled up the wrong hardware info. I am seeing about 20 lines in the access_log and then nothing after it. All so far seem to be just logging in and out. Here is the output, not sure if it will format ok.

    Code:
    root@xxxxxx [/usr/local/cpanel/logs]# tail -n 8000 access_log| grep "75.125.126.8"
75.125.126.8 - - [05/09/2014:01:33:24 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:27 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:34 -0000] "GET /cpsess8474402616/ HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1365963166/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/whm.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-username.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-error.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1329852020/unprotected/cpanel/images/icon-password.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/cpanel-logo-tiny.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-info.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/notice-success.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:36 -0000] "GET /cPanel_magic_revision_1352936570/unprotected/cpanel/images/warning.png HTTP/1.1" 200 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:37 -0000] "GET /cPanel_magic_revision_1328806045/unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - - [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
75.125.126.8 - root [05/09/2014:01:33:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "http://184.172.xxx.xxx:2086/cpsess8474402616/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" "-"
root@xxxxxx [/usr/local/cpanel/logs]#
    That's all there is in access_log so I am leaning towards this being an error. I will wait for more info as Softlayer says they will try to dig deeper.
     
    #3 nyjimbo, May 9, 2014
    Last edited: May 9, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    971
    Likes Received:
    71
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    From that log, it looks like all they did was log in. I'd definitely expect an explanation from them even if it's "sorry, I logged into the wrong server"
     
    #4 quizknows, May 9, 2014
  5. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    573
    Likes Received:
    19
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I agree with quizknows. I don't see anything odd within that log entry you posted, but they should definitely explain why they accessed your server (even if it was by accident).
     
    #5 cPanelPeter, May 11, 2014
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Softlayer admitted it was a mistake, "Sorry, wont happen again".
     
    #6 nyjimbo, May 11, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - login Softlayer tech
  1. keat63

    Failed Dovecot Logins

    keat63, Jun 28, 2017 at 2:52 AM, in forum: E-mail Discussions
    Replies:
    4
    Views:
    42
    cPanelMichael
    Jun 29, 2017 at 10:03 AM
  2. smartmoney

    Single email account can't login or change password

    smartmoney, Jun 20, 2017, in forum: E-mail Discussions
    Replies:
    3
    Views:
    61
    cPanelMichael
    Jun 21, 2017
  3. Guthrie Shriver

    Login to cPanel slow

    Guthrie Shriver, Jun 15, 2017, in forum: General Discussion
    Replies:
    2
    Views:
    60
    cPanelMichael
    Jun 16, 2017
  4. DjordjeB

    Excessive resource usage: cpanellogin

    DjordjeB, Jun 14, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    43
    cPanelMichael
    Jun 15, 2017
  5. DBM

    Webmail - Cannot Login via cPanel

    DBM, Jun 7, 2017, in forum: E-mail Discussions
    Replies:
    5
    Views:
    118
    cPanelMichael
    Jun 13, 2017

Share This Page