Firewall configuration file changed?

I've been running WHM/Cpanel on Servers For at least 12 years along with CSF/LFD. Yesterday all of the sudden the server wouldn't accept WHM connection on port 2087. I immediately tried bringing it up on my mobile phone to see if for some reason by connecting from my hotel the system had auto blocked the IP. Nope, was blocking external access to the port, not IP specific. Had made no config changes on the server WHATSOEVER. For the heck of it I moved CSF to a different directory and re-installed. Works fine. But after a while (guessing couple hours or so) the csf.conf file is modified and those IP addresses listed in the subject of this thread are removed from the Allow TCP ports Again I made no changes to anything on the server at any level (iptables, WHM settings, CSF/LFD settings) It was the middle of the afternoon so a system update shouldn't have happened. This is the ports csf.conf file that csf installs with TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096" TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" This is what the file changes to by itself an hour or two later without me doing anything: TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,1027,2077,2078,2083,2095,2096,3306" TCP_OUT = "20,22,21,25,37,43,53,80,110,113,443,587,873,993,995,1027,2089,2703,3306,2077,2078" What could be modifying the port configuration? I'm on WHM 78.0.13 AGAIN.. IT'S NOT AN IP SPECIFIC BLOCK (CSF.DENY file)