WHM login two factor auth logging?

Michael Smith

Registered
Sep 10, 2016
4
1
3
United Kingdom
cPanel Access Level
Root Administrator
So this afternoon one of our servers got compromised, We have already migrated the data away and locked it down. The problem i am trying to understand is someone logged into WHM using root and somehow got around the 2 factor auth.

Is there a way i can check the logs as to how they logged in, and if they did indeed bypass 2 factors or did put it in ?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
You can check the access logs for any logins on the server, there are a couple of other logs located in the same location at /usr/local/cpanel/logs which I think might be helpful as well:

access_log
session_log
login_log