Basic WebHost Manager® Setup - reset on its own

amstel

• March 21, 2018 08:39

Hi, I have migrated to the new server and restored cPanel backups. Since then I have a weird problem with the Basic WebHost Manager" Setup. Every couple of weeks or months the new WHM server resets Basic WebHost settings to the settings from the old server (contact information email and nameservers IP). Please could you advise? /etc/redhat-release:CentOS release 6.9 (Final) /usr/local/cpanel/version:11.68.0.33 /var/cpanel/envtype:kvm CPANEL=release v68.0.33

• 

  cPanelMichael

  • March 21, 2018 15:09

  Hello, The behavior you reported shouldn't happen unless someone with administrator access is manually restoring files, or if a third-party application is making changes. Is it possible you have a third-party application installed that's altering or restoring the /etc/wwwacct.conf file on the system? Thank you.

  0
• 

  amstel

  • March 21, 2018 15:53

  Thank you for your quick reply. I am with you, it should not happen as my other cPanel's servers works fine. I have ClamAV and CSF but I do not think they could alter or restore /etc/wwwacct.conf file. I am going to monitor this file with the linux demon audit: /etc/audit/audit.rules -w /etc/wwwacct.conf -p wa -k manager
  

  0
• 

  cPanelMichael

  • March 21, 2018 16:11

  I am going to monitor this file with the linux demon audit

  
  That's a good idea. Feel free to let us know the outcome once it detects a change to the file.

  0
• 

  amstel

  • April 11, 2018 09:50

  I have detected the change to the file. time->Wed Apr 11 10:22:19 2018 type=PATH msg=audit(1523438539.215:198): item=1 name="/etc/wwwacct.conf" inode=4071377 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL type=PATH msg=audit(1523438539.215:198): item=0 name="/etc/" inode=4063233 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT type=CWD msg=audit(1523438539.215:198): cwd="/" type=SYSCALL msg=audit(1523438539.215:198): arch=c000003e syscall=2 success=yes exit=3 a0=2b46eb0 a1=241 a2=1b6 a3=7f4a01aa5d90 items=2 ppid=3366 pid=3371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cpanel.pl" exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key="manager"
  Any thoughts?

  0
• 

  cPanelMichael

  • April 11, 2018 12:46

  time->Wed Apr 11 10:22:19 2018

  
  Hello, Do you happen to notice any particular output to the cPanel access log (/usr/local/cpanel/logs/access_log) around this time? Or, do you notice any activity around this time in the recent cPanel update log under the /var/cpanel/updatelogs/ directory? Thank you.

  0
• 

  amstel

  • April 11, 2018 14:22

  Hi Michael, /var/cpanel/updatelogs/update.*.log shows that /usr/local/cpanel/bin/dcpumon Added Contact hi-vps@removed [2018-04-10 04:58:04 +0100] 87% complete [2018-04-10 04:58:04 +0100] - Finished in 0.012 seconds [2018-04-10 04:58:04 +0100] Processing: Checking for new security advice [2018-04-10 04:58:04 +0100] - Processing command `/usr/local/cpanel/scripts/check_security_advice_changes --notify` [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/scripts/check_security_advice_changes] There are no changes to the Security Advisor state that require notification. [2018-04-10 04:58:30 +0100] - Finished command `/usr/local/cpanel/scripts/check_security_advice_changes --notify` in 25.364 seconds [2018-04-10 04:58:30 +0100] Processing: Running former postinstall scripts [2018-04-10 04:58:30 +0100] - Processing command `/usr/local/cpanel/bin/dcpumon --killproc` [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/BitchX.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/bnc.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/eggdrop.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/generic-sniffers.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/guardservices.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ircd.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/psyBNC.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/ptlink.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Loading Symbol Table... /usr/local/cpanel/etc/sym/services.sym ..Done [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Kill Proc Enabled [2018-04-10 04:58:30 +0100] [/usr/local/cpanel/bin/dcpumon] Added Contact hi-vps@removed [2018-04-10 04:58:30 +0100] - Finished command `/usr/local/cpanel/bin/dcpumon --killproc` in 0.508 seconds [2018-04-10 04:58:30 +0100] 88% complete
  

  0
• 

  cPanelMichael

  • April 11, 2018 14:33

  Hello, Can you verify if you have that email address configured as an email destination in "WHM >> Contact Manager" or as a forwarded destination email for "root" in "WHM >> Edit System Mail Preferences"? Thank you.

  0
• 

  amstel

  • April 11, 2018 14:48

  Hi, I am sorry I was not clear. I have setup the Contact Manager address as admin@mydomain.com (that is the "correct" address I wish to use). Today this address has been changed again to hi-vps@removed in "WHM >> Contact Manager" Also the DNS nameservers have been changed in the Basic WebHost Manager" Setup. WHM >> Edit System Mail Preferences shows the correct address admin@mydomain.uk

  0
• 

  cPanelMichael

  • April 11, 2018 14:56

  Hello, Could you open a support ticket so we can take a closer look at the affected system? Thank you.

  0
• 

  amstel

  • April 11, 2018 15:17

  Hi, When I try to prepare server for cPanel support I get: Error:WHM Authorization failed with the following error: The server detected that an SSH key for user "root" in Ticket ID "9430413" and Server "1" already exists. Run the following cPanel script and refresh your browser: /scripts/updatesupportauthorizations. You may skip this server or correct the problem and try again.
  I run /scripts/updatesupportauthorizations and repeat the process but no joy. I have clicked the next button and get the Support Request ID: 9430413

  0
• 

  cPanelMichael

  • April 11, 2018 15:26

  Hello @amstel, I see the ticket was successfully opened. Please respond directly to the support ticket to note the error if /scripts/updatesupportauthorizations continues to fail. Thank you.

  0
• 

  amstel

  • May 09, 2018 18:52

  The problem has been sorted out by your support. /home/cpanel.pl /home/cpanel.conf

  0
• 

  cPanelMichael

  • May 10, 2018 14:31

  /home/cpanel.pl /home/cpanel.conf

  
  I'm glad to see the source of the change was found. Thank you for updating this thread with the outcome. For anyone else seeing this thread, note these are third-party scripts and are not files provided as part of cPanel & WHM. Thank you.

  0

Please sign in to leave a comment.