Entries in Log File Questions
Hi,
My first time posting here, thank you in advance for your service ...
I'm running a small online business, and among other tasks I administer detected server, but I am not really a professional webmaster. I hope someone here can give me some sort of direction of how to handle this case.
since a few days I received an email indicates that someone has entered my server .
A quick look at the server stats revealed that someone had broken into the cPanel with the root (!)
I checked his trace here is what I found : " check file please "
[removed by moderator - please replace real domain names and IP addresses with examples when pasting log output]
....... check file please
I want to know what he did ? is this dangerous ???
THank you in advance
-
Hello @sido, The log output was moderated because it included real domain names and IP addresses. Feel free to post the output again in CODE tags, but ensure to replace any real domain names or IP addresses with examples. Additionally, the following document is a good place to start when understanding how to approach a potentially hacked server: Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation Thank you. 0 -
H I upload the file again, please check I want to know what he did ? is this dangerous ??? THank you in advance HI, these are the traces 0 -
The apache access_log lines you posted are evidence that the ip address in your original post requested the whm login page. It is not evidence that they successfully logged in. See the attached screenshot to verify this for yourself. The following line is extremely vague "since a few days I received an email indicates that someone has entered my server ." Is there any connection with the ip address in the log lines you posted and the email you received? The email you received... Is it sent by ConfigServer lfd daemon? Is the email sent by some other software on your server? Is is sent from the email address you would expect server notification to be sent by? Does it have any hyper-links in it? Is it possible that the email is notification of you or one of your cPanel users logging in? Do you know the ip that you log in from? Does it ever vary? Do you use anonymizing proxy for your browser when you log in? Are your usernames and passwords for root and cPanel users complex and unique? 0 -
Hi, thank you for your reply I received cron-job email, indicates that someone made a change on the server. look at the attached file . exemple : POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/index.html" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083 POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/index.html" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083 POST /cpsess3516826911/json-api/cpanel HTTP/1.1" 200 0 "https://domaine.com.2083/cpsess3516826911/frontend/paper_lantern/filemanager/editit.html?file=main.tpl&fileop=&dir=%2Fhome%2FwebsiteK%2Fpublic_html%2Fww1%2Ftemplates%2FDefault&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&edit=1" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083 POST /cpsess3516826911/execute/Personalization/get HTTP/1.1" 200 0 "https://domaine.com.2083/" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "s" "-" 2083
Thank you in advance0 -
Hello @sido, The log output you provided show that cPanel >> File Manager was accessed. Can you elaborate on where you see the "root" user was utilized to access the server? Answers to the questions in the the post before your last one are needed to better understand the issue you are facing. Additionally, you may want to consider hiring a system administrator if you require assistance evaluating the server's security or investigating the source of a potential exploit. This is often an extensive process, and it's generally not something we can help with over a public forum. You can find a list of companies offering system administration services at: Thank you. 0
Please sign in to leave a comment.
Comments
5 comments