CPANEL-40842 - Successful root login service : cron ??
Successful root Login from Local Machine
Domain: server2.!!!!!!!com
Service: cron
Authentication Database: system
Username: root
Known Network ": Yes ?
" A "Known Network" is an IP address range or netblock that contains an IP address from which a user successfully logged in previously.
Hello I got this email for a second time just now and wondering what this is. ?
Anyone any idea
This is on a dev cPanel lic. For testing Ubuntu and cPanel 104 latest version
-
Hey hey! I'm not sure I've seen one of those from a standard installation referencing the cron service. Is it possible you have a custom cron that calls a script that authenticates as root? 0 -
Hey hey! I'm not sure I've seen one of those from a standard installation referencing the cron service. Is it possible you have a custom cron that calls a script that authenticates as root?
Not that I can think of. Other than using csf deny in cPHulk but then I removed it. And it happened again at the same time. Where would that cron be for me to look ? Thanks0 -
Can you check /var/log/cron to see if that shows what was executed at that time? 0 -
does this look Kosher ? 0 -
That all looks normal to me, yes. 0 -
So would that trigger the cPanel notification 0 -
I wouldn't expect it to, as I don't get that on my personal system with LFD running. 0 -
I wouldn't expect it to, as I don't get that on my personal system with LFD running.
This is Ubuntu maybe something different ?0 -
That is always a possibility - you're welcome to make a ticket with us too! 0 -
That is always a possibility - you're welcome to make a ticket with us too!
ok here is ticket number #94453883 just want to know what caused this and if it's just a normal process that will trigger the email thanks0 -
Thanks! I'm following along now. 0 -
Our team did confirm these notifications were from that dcpumon cron, so it might be worth bringing that up with CSF directly to see if that gets handled differently on an Ubuntu system. 0 -
Our team did confirm these notifications were from that dcpumon cron, so it might be worth bringing that up with CSF directly to see if that gets handled differently on an Ubuntu system.
Hi there The dcpumon cron is cPanel's CPU Monitor; as such, this log in is from the server itself. You should be able to whitelist 127.0.0.1 to prevent these notices from continuing to be sent. This was a notice from cPHulk. Not csf just fyi. So I guess in cPHulk I just need to add the 127.0.0.1 to white list the ip. But this only happens on Ubuntu server not my AlmaLinux server. Maybe a notice in your docs or support channel for this so others can k iw it"s nothing to worry about.0 -
Oooh I didn't see this was cPHulk - let me see if I can find more on my end. 0 -
Oooh I didn't see this was cPHulk - let me see if I can find more on my end.
Thanks. :) Yes. Just a note to whitelist 127.0.0.1 in cPHulk so if we have the check mark to notify of an root login we don"t panic if we get that notice :). Thanks so much @cPRex.0 -
here is the full Support answer sorry I cant copy ad paste for some reason on the forum it keeps giving me to popup Error so i made a snapshot 0 -
@cPRex even after adding IP 1270.0.1 I still got the email again? will message back to support 0 -
I see Ausaf just sent a reply to the ticket, asking you to monitor the situation and see if it happens again. If it does, it could be related to an existing case. 0 -
I see Ausaf just sent a reply to the ticket, asking you to monitor the situation and see if it happens again. If it does, it could be related to an existing case.
Note: Confirmation of email notification is logged in log file /usr/local/cpanel/logs/cphulkd.log.info [cPhulkd] Notified Root Login: [Service]=[cron] [Authentication Database]=[system] [Username]=[root]
Description The cPhulk Brute force detection service has the ability to monitoring logins for the root user as well as other system users. When cron is executed on Ubuntu, it seems to trigger the cPhulk notification even though the task was executed by crontab. It isn't clear why this issue is occurring at this time but we've noticed the notifications started after upgrading to version 104. We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-40842. Follow this article to receive an email notification when a solution is published in the product. Workaround Ignore the notification for system user cron or disable notify root setting for known netblock logins in the cPhulk interface.0 -
Thanks for posting that reply! 0 -
Thanks for posting that reply!
PS thank you for correcting the link :)0 -
Update - this will be fixed in a future release of version 112. I don't have a specific subversion yet, but I'm hoping to hear that number within the next few weeks. 0 -
Hi @cPRex, I'm at version 114 and I also get these email notifications that a crontab object used root, I don't see what is the operational or security benefit from such an email, it holds no actual benefit. 0 -
@eitanc - I show that this was resolved in 112.0.4. If you're seeing it on a newer version, could you please submit a ticket and reference case CPANEL-40842 so we can check that out? 0 -
@cPRex, I filed support ticket 95154251 0 -
Thanks - I'm following along with that ticket now. 0
Please sign in to leave a comment.
Comments
26 comments