Skip to main content

How to find hackers access point

panit
One of the accounts on the server had a file changed by a hacker. I was able to find the hackers IP in the access log. The entry in the log indicated the change was made via cpanels file manager so I searched the logs to see if I could find how that IP logged in. The only thing I could find for that IP are shown below. It shows connections by user1 and user2, neither of which is the user of the account that was hacked. Does that mean the hacker got in via one of these accounts or is it just coincidence? Also, I grepped the .lastlogin for all accounts on the server and the hackers IP shows up in many of them. Does that file show successful logins or just attempts at logging in? So, in summary, I know the account that was hacked and the IP used to do the hacking. I am just trying to find out how he got in. Can anyone offer suggestions on how to do this? [2021-05-31 13:45:54 -0400] info [cpaneld] 174.192.149.43 - user1 "GET /cpsess5167093317/json-api/cpanel?cpanel_jsonapi_module=Fileman&cpanel_jsonapi_func=listfiles&cpanel_jsonapi_apiversion=2&needmime=1&dir=%2fhome%2fuser1%2fpublic_html&showdotfiles=1&cache_fix=1622483121965 HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43] [2021-05-31 13:45:54 -0400] info [cpaneld] 174.192.149.43 - user2 "GET /cpsess1523471696/frontend/paper_lantern/email_accounts/index.html HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43] [2021-05-31 13:45:58 -0400] info [cpaneld] 174.192.149.43 - user1 "GET /cpsess5167093317/frontend/paper_lantern/filemanager/index.html HTTP/1.1" DEFERRED LOGIN cpaneld: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43] [2021-05-31 13:46:18 -0400] info [whostmgrd] 174.192.149.43 - root "GET /cpsess2958226313/json-api/loadavg HTTP/1.1" DEFERRED LOGIN whostmgrd: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43] [2021-05-31 13:46:39 -0400] info [whostmgrd] 174.192.149.43 - root "POST /xfercpanel HTTP/1.1" DEFERRED LOGIN whostmgrd: cookie ip check: IP address has changed: IP Address [174.192.165.81] != Current IP Address [174.192.149.43]
using: Apache/2.4.48 and CloudLinux

Comments

8 comments

Date Votes
  • andrew.n
    This snippet of the log file only shows that the login attempts were failed and deferred so it doesn't show any successful login. In the rest of the log files do you see anything else?
    0
  • cPRex Jurassic Moderator
    Hey there! Those specific entries look like the user had tried multiple logins, but doesn't show the actual issue. I always recommend that people check their local computers for viruses and malware as that is the most common way passwords get stolen. I would recommend checking /usr/local/cpanel/logs/access_log to see if that shows any additional details for the IP address.
    0
  • panit
    Thank you for the suggestions. I realize this could be caused by a computer being hacked but it was done by the same IP and at the same time so that seems unlikely. I check an archived access file and found these entries: 174.192.165.81 - info%404user3.com [05/31/2021:14:45:14 -0000] "GET /cpsess0036735185/3rdparty/roundcube/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1622472314684 HTTP/1.1" 200 0 "https://www.server_domain.com:2096/cpsess0036735185/3rdparty/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2096 174.192.165.81 - user3 [05/31/2021:14:47:14 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/showfile.html?file=cc_cvv.php&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fincludes%2Fmodules%2Fpayment&dirop=&charset=&file_charset=&baseurl=&basedir= HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cPanel_magic_revision_1509979506/frontend/paper_lantern/css/yui-core.css HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:47:14 -0000] "GET /cPanel_magic_revision_1509979506/frontend/paper_lantern/css/yui-custom.css HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/close.jpg HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:47:19 -0000] "GET /cpsess0813286337/frontend/paper_lantern/mimeicons/text-x-generic.png HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:48:35 -0000] "GET /cPanel_magic_revision_1551087232/frontend/paper_lantern/filemanager/img/panel/close.gif HTTP/1.1" 200 0 "https://www.server_domain.com:2083/cPanel_magic_revision_1551087232/frontend/paper_lantern/filemanager/css/tree_styles2_optimized.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083 174.192.165.81 - user3 [05/31/2021:14:48:35 -0000] "GET /cpsess0813286337/frontend/paper_lantern/filemanager/editit.html?file=cc_cvv.php&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fincludes%2Fmodules%2Fpayment&dirop=&charset=&file_charset=_DETECT_&baseurl=&basedir=&edit=1 HTTP/1.1" 200 0 "https://www.server_domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "s" "-" 2083
    There was a second account hacked at the same time and in the same way. I thought the line showing the email check above might be the way in but the entries for the other account doesn't show email access. The entries for it did show the filemanager open and edit lines, though I guess that is after the hacker got in. Does the above show anything useful?
    0
  • andrew.n
    Yes it seems that user3 logged in from the IP 174.192.165.81 and he was editing /home/user3/public_html/includes/modules/payment/cc_cvv.php file as well as accessed webmail.
    0
  • panit
    So does "logged in" mean cpanel? Since two accounts had the same problem I suppose it is possible the password of each accounts cpanel could have been obtained. But doesn't it seem more likely that some common entry point was used? In either case, is it possible to know for sure how he got it?
    0
  • andrew.n
    From this log not really..if weak passwords were set it might have been figured or the computer was infected with some virus...a lot of things could have happened unfortunately :(
    0
  • panit
    OK. I understand. Thank you for your help. I had both users change their passwords and blocked that IP.
    0
  • andrew.n
    Very well, anytime
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post