Understanding abusive access attempts in logs

Prakash K. Lakhara

• June 27, 2019 07:17

I am getting many whm panel hacking attempts, ip address is from Linode (hosting website), However when I block the ip address they start attack with new ip address ,See logs below: 198.58.xxx.xx - - [06/27/2019:09:16:47 -0000] "#ST" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:49 -0000] " nbei" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:50 -0000] " 400 0 "-" "-" "-" "-" 2086 127.0.0.1 - - [06/27/2019:09:16:54 -0000] "GET /.__cpanel__service__check__./serviceauth?sendkey=__HIDDEN__&version=1.2 HTTP/1.0" 200 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:53 -0000] "GET / HTTP/1.0" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:55 -0000] "OPTIONS / HTTP/1.0" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:57 -0000] "OPTIONS / RTSP/1.0" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:16:58 -0000] "?(r????|" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:00 -0000] "versionbind" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:01 -0000] " " 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:03 -0000] "HELP" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:04 -0000] "SO?G???,??`~???{???w????<=?o?n(" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:06 -0000] "*%?Cookie: mstshash=beio" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:07 -0000] "ieU??random1random2random3random4 /" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:09 -0000] "qj?n0?k??" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:10 -0000] "??SMB@@?PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:12 -0000] "l " 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:13 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:15 -0000] "default" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:16 -0000] "0?-c?$" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:18 -0000] "0 `?" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:19 -0000] "OPTIONS sip:nm SIP/2.0" 301 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:20 -0000] "TNMPTNME" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:21 -0000] " ?" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:23 -0000] "DmdT??" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:24 -0000] ":/@=/@" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:26 -0000] "JRMI" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:27 -0000] "??? ??MMS???? NSPlayer/9...98; {AA-A-a-AAA-AAAAA}?m?" 401 0 "-" "-" "-" "-" 2086 ==> /usr/local/cpanel/logs/error_log <== [2019-06-27 05:17:29 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, line 1. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267 cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090 cpanel::cpsrvd::script() called at cpsrvd.pl line 422 ==> /usr/local/cpanel/logs/access_log <== 198.58.xxx.xx - - [06/27/2019:09:17:29 -0000] "Z6 :?(CONNECT_DATA=(COMMAND=version)" 401 0 "-" "-" "-" "-" 2086 ==> /usr/local/cpanel/logs/error_log <== [2019-06-27 05:17:30 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, line 1. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267 cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090 cpanel::cpsrvd::script() called at cpsrvd.pl line 422 ==> /usr/local/cpanel/logs/access_log <== 198.58.xxx.xx - - [06/27/2019:09:17:30 -0000] "4 UMSSQLServerH" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:32 -0000] "" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:33 -0000] "GIOP$abcdefget" 400 0 "-" "-" "-" "-" 2086 198.58.xxx.xx - - [06/27/2019:09:17:35 -0000] "??+ /usr/local/cpanel/logs/error_log <== [2019-06-27 05:17:41 -0400] warn [whostmgrd] (XID qpdj7c) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3194, line 1. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1729 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1267 cpanel::cpsrvd::handle_one_connection(10) called at cpsrvd.pl line 1090 cpanel::cpsrvd::script() called at cpsrvd.pl line 422

• 

  keat63

  • June 27, 2019 14:07

  I assume you are blocking with CSF firewall. If they are all coming from 198.58.x.x, have you considered adding a class c block. lets assume 198.58.3.x try adding 198.58.3.0/24 # do not delete - add any comments to help identify why you set the rule

  0
• 

  cPanelMichael

  • June 28, 2019 18:03

  Hello @Prakash K. Lakhara, While mitigating attacks falls outside our support scope, we can better point you in the right direction with access to the affected system. Can you open a

  0
• 

  Prakash K. Lakhara

  • July 02, 2019 05:04

  HI @keat63 and @cPanelMichael I have not blocked whole range of ip, but the attacks gone now. Our hosting provider also enabled Host Access control that only our ip can access cpanel,ssh,ftp. Thanks for helping but you can see they are using different "query like keywords" for cracking whm password.

  0

Please sign in to leave a comment.