Skip to main content

User Account Password Keeps Changing

Comments

8 comments

  • cPanelMichael
    Hello :) Are you sure the password has actually been changed? For instance, is it possible the account was locked out by cPHulk brute force detection? You can check the cPHulk logs via the "Login/Brute Force History" tab in: "WHM Home " Security Center " cPHulk Brute Force Protection" Thank you.
    0
  • SDSurfer
    [quote="cPanelMichael, post: 1618502">Hello :) Are you sure the password has actually been changed? For instance, is it possible the account was locked out by cPHulk brute force detection? You can check the cPHulk logs via the "Login/Brute Force History" tab in:
    Thank you, sorry, I guess I hadn't covered all details. My IP address is whitelisted in CPHulk. It has a 5 retry limit. Typical scenario: I'm working on this site almost every day. Using Filezilla (see below) I'm FTP'ing changes over, no problem. Next day I go to move files, Login fails. I go to the CP, attemt login, fails. Go to WHM, reset the pass, it's fine. Two days later, same thing. As for FileZilla, it is NOT in Kiosk mode, no plain text passwords are stored. Require explicit FTP over TLS with proper keys. AVG/Malware is up to date, sure Filezilla is not the problem. I manage many other sites over WHM/Cpanel.
    0
  • cPanelMichael
    While it's possible the password is being changed due to an exploited server, it's likely a good idea to rule out any other causes first. Could you let us know if you notice any particular entries in /var/log/messages or /usr/local/cpanel/logs/login_log when the FTP and cPanel logins fail? Thank you.
    0
  • SDSurfer
    [quote="cPanelMichael, post: 1619492">While it's possible the password is being changed due to an exploited server, it's likely a good idea to rule out any other causes first. Could you let us know if you notice any particular entries in /var/log/messages or /usr/local/cpanel/logs/login_log when the FTP and cPanel logins fail?
    Agreed, thank you! Although I'm not sure what I'm looking for, some of this may be superflous. /var/log/messages, thousands of these, Presume those are system services (??): Apr 7 02:11:04 [server-ip]9 pure-ftpd: (__cpanel__service__auth__ftpd__shJiS73gWuZMzbDRBC5AYx1QWTJMP5y6vJh_ytLzm4ygqI9ZM4bzr7N8oDzFUjjV$ Apr 7 02:16:03 [server-ip]9 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Although the offending IP's don't show in messages, there are literally thousands, hundreds of thousands, of attempts for various user names. :-( Apr 1 03:43:40 [server-ip]9 pure-ftpd: (?@[suspicious IP]) [INFO] New connection from [suspicious IP] Apr 1 03:43:46 [server-ip]9 pure-ftpd: (?@[suspicious IP]) [WARNING] Authentication failed for user [nonexistent-user@example.com] For my IP, this is one of the instances of failed logins. I manually scanned the log for the previous couple days, no sign of other users logging in. Apr 7 14:31:45 [server ip] pure-ftpd: (?@[my ip address]) [WARNING] Authentication failed for user [main-account] Apr 7 14:32:23 server ip] pure-ftpd: (?@[my ip address]) [WARNING] Authentication failed for user [main-account] Immediately followed by a successful login after I reset the password via WHM. /usr/local/cpanel/logs/login_log: grep [one of the offending ip's] /usr/local/cpanel/logs/login_log hundreds of entries for [two of the offending ip's] - main-account [04/09/2014:00:11:56 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN cpaneld: brute force attempt (user main-account) has locked out IP [one of the offending ip's] See above, dropped them via the ip tables; you will recognize that UEL from my previous post. 20 or so entries for [different offending ip] - main-account [03/05/2014:21:04:03 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password Although in one of the instances, it gives "locked out" then "login failed" then "locked out again. I did see one entry for my IP that is confusing: [my ip address] - main-account [04/07/2014:21:33:46 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN cpaneld: brute force attempt (user main-account) has locked out IP [my ip address] How am I locked out? I am whitelisted in CPHulk, and even if it were a glitch with that, I'm vary aware it is set for max 5 failed logins, I don't recall failing more than once or twice, via CP, WHM, or SSH logins. If there's any more queries or you'd like a zip of any logs, I'd be glad to provide them. Thanks again, first sign of progress here!
    0
  • SDSurfer
    Ack. Just re-checked the CPHulk settings. All entries removed, blacklist and whitelist, checked it just the other day.
    0
  • cPanelMichael
    [quote="SDSurfer, post: 1619601">Ack. Just re-checked the CPHulk settings. All entries removed, blacklist and whitelist, checked it just the other day.
    Could you verify if the issue continues after re-adding your IP address to the whitelist? Thank you.
    0
  • SDSurfer
    Well, I've been monitoring it daily, now I'll monitor the white/blacklist as well. It seems random, so far there are only the two instances I mentioned, the last being on the 7th, the first on (I believe) the 5th.
    0
  • Alex Peralta

    this issue still happend actually i have this problem after a malware infection (wordpress) and cleanup password change "automatically".

    0

Please sign in to leave a comment.