The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

who gets in my public_html?

Discussion in 'Security' started by ozzieonline, Jan 18, 2013.

  1. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I've set up Apache to send all requests (except requests to content files like images etc.) to index.php by using a rewrite rule.

    Because I was trying to test the php error log I deliberately created a php error in the index.php file.
    The error appeared in the php error log so it works well. However... 30 minutes later I checked the php error log again and I saw more of the same error messages while I had not refreshed my site. My website is not public and not known to the public, so I suspect some system process "peeks" at my public_html folder now and then. Since every request is being forwarded to the index.php file the error is triggered each time.

    I am wondering which process "peeks" into my public_html folder. Could it be a statistics program like AW stats?

    Addition:
    I see the error appears exactly every 5 minutes, in the first second of that minute. For example 21:30:01, 21:35:01, 21:40:01 and so on. Anybody has a clue which process peeks at my public_html folder every 5 minutes?
     
    #1 ozzieonline, Jan 18, 2013
    Last edited: Jan 18, 2013
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Check the access log.
     
  3. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks quietFinn. This is what I find in the apache access log. I copied a little piece:

    127.0.0.1 - - [19/Jan/2013:00:40:01 +0100] "GET /whm-server-status HTTP/1.0" 200 4304
    127.0.0.1 - - [19/Jan/2013:00:50:01 +0100] "GET /whm-server-status HTTP/1.0" 200 3757
    127.0.0.1 - - [19/Jan/2013:00:50:01 +0100] "GET /whm-server-status HTTP/1.0" 200 3757
    127.0.0.1 - - [19/Jan/2013:00:55:01 +0100] "GET /whm-server-status HTTP/1.0" 200 4241
    127.0.0.1 - - [19/Jan/2013:00:55:01 +0100] "GET /whm-server-status HTTP/1.0" 200 4241
    127.0.0.1 - - [19/Jan/2013:01:00:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -
    127.0.0.1 - - [19/Jan/2013:01:00:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -
    127.0.0.1 - - [19/Jan/2013:01:05:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -
    127.0.0.1 - - [19/Jan/2013:01:05:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -
    127.0.0.1 - - [19/Jan/2013:01:10:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -
    127.0.0.1 - - [19/Jan/2013:01:10:01 +0100] "GET /whm-server-status HTTP/1.0" 200 -

    I also found this cronjob which I think is running every 5 minutes (according to */5 * * * *)

    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

    Do you have any idea what is going on?
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    That's not the right log, see /usr/local/apache/domlogs/YOURDOMAIN.COM
     
  5. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I checked, but the requests are not logged in there. (I can see because the times don't correspond).
    Seems to me like the information above is the relevant information. As you can see the requests are made by localhost, so it seems to be a system process.

    Searching for the keyword "dcpumon" that I see in the cronjob above, I found this:

    Dcpumon is a CPU/Memory accounting script which stores percentage values of CPU and Memory usage under /var/log/dcpumon. By default, a cron has been setup to run the script for every 5 minutes and by which the statistics are getting updated in WHM. This script will read all the data and log the statistics data in the folder " /var/log/dcpumon".

    I think this is what's causing the requests.
     
Loading...

Share This Page