root access alert.
Hi,
I just got an e-mail from lfd saying:
I look in /usr/local/cpanel/logs/login_log and see this:
I don't see any information from that IP at 10:32AM though. Does that mean someone got in my system? I also don't really understand why CSF didn't block 173.193.227.78 sooner from trying to get in. I do see 173.193.227.78 in the csf.deny log. I guess that's more of a question for the CSF people. I also got an e-mail message saying my hostname changed. But in WHM, I went to change it back and it said it was the same as it was... Looking in the access_log file, I see:
Could that IP address be GoDaddy and for some reason, they're logging into my server without telling me to do stuff? Or could it be cPanel? This kind of worries me. If it is GoDaddy, I'd like to think that they could at least let me know that they log in and do stuff. Getting a little worried here. [COLOR=rgb(34, 34, 34)]
(subject) lfd on franklin.mydomain.com: WHM/cPanel root access alert from 184.168.224.94 (US/United States/p3plvertigo01.prod.phx3.secureserver.net)
(body)
Time: Fri Feb 19 10:32:06 2016 -0500
IP: 184.168.224.94 (US/United States/p3plvertigo01.prod.phx3.secureserver.net)
User: root
I look in /usr/local/cpanel/logs/login_log and see this:
[2016-02-18 19:02:53 -0500] info [cpsrvd] 184.168.224.94 - root "GET /json-api/listaccts HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
[2016-02-19 20:12:44 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:45 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:46 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:47 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
[2016-02-19 20:12:47 -0500] info [cpsrvd] 173.193.227.78 - jetbbs "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user jetbbs (loadcpdata failed)
I don't see any information from that IP at 10:32AM though. Does that mean someone got in my system? I also don't really understand why CSF didn't block 173.193.227.78 sooner from trying to get in. I do see 173.193.227.78 in the csf.deny log. I guess that's more of a question for the CSF people. I also got an e-mail message saying my hostname changed. But in WHM, I went to change it back and it said it was the same as it was... Looking in the access_log file, I see:
184.168.224.94 - root [01/19/2016:03:53:54 -0000] "GET /json-api/sethostname?hostname=jetbbs.secureserver.net HTTP/1.1" 200 0 "" "Python-urllib/2.6" "accesshash"
...
184.168.224.94 - root [01/21/2016:23:34:00 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
184.168.224.94 - root [01/21/2016:23:35:41 -0000] "GET /json-api/sethostname?hostname=franklin.mydomain.com HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
...
184.168.224.94 - root [01/24/2016:06:27:30 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-"
...
184.168.224.94 - root [01/27/2016:02:33:51 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
184.168.224.94 - root [01/27/2016:02:33:58 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
184.168.224.94 - root [01/27/2016:02:34:06 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Python-urllib/2.6" "a" "-" 2087
184.168.224.94 - root [01/27/2016:02:34:09 -0000] "GET /login/?user=root&pass=__HIDDEN__ HTTP/1.1" 401 0 "" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-" "-" 2087
etc.
Could that IP address be GoDaddy and for some reason, they're logging into my server without telling me to do stuff? Or could it be cPanel? This kind of worries me. If it is GoDaddy, I'd like to think that they could at least let me know that they log in and do stuff. Getting a little worried here. [COLOR=rgb(34, 34, 34)]
-
I see more recent stuff from other IP addresses, like this: 173.193.227.78 - - [02/20/2016:01:12:43 -0000] "GET / HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:47 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083 173.193.227.78 - jetbbs [02/20/2016:01:12:47 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "" "-" "-" "-" 2083
These IPs aren't mine. Are these IPs from people trying to hack into my site?0 -
Hi, I can see that the IP is with GoDaddy ISP. You can check at ip-tracker.org You can contact them for further. 0 -
It looks like script-kiddy using a godaddy hosted server/vps accessed your server. The fact that you had a bunch of failed login attempts, then a successful once is quite worrisome. A reinstall of your server most likely is warranted, since it has been compromised. Then be sure to have mod-sec installed with the latest rulesets. 0 -
Thank you SysSachin. I believe you're right. Someone seemed to of added that IP address to my csf.allow file. If I block it, GoDaddy's server backup fails. How can I tell if the IP address belongs to actual GoDaddy vs a GoDaddy customer? I noticed if, in ip-tracker.org, I type my domain's IP address and I see the GoDaddy stuff...I get a lot of traffic from IP addresses that show GoDaddy in the ip-tracker.org site. Just hard to tell which ones are GoDaddy and which ones are people who rent servers from GoDaddy. I tried contacting them via abuse@godaddy.com but never got a reply. Perhaps if I contact them via on-line chat, I could get an answer as to what IPs I should always allow through the firewall. Thanks! 0 -
Someone seemed to of added that IP address to my csf.allow file. If I block it, GoDaddy's server backup fails. How can I tell if the IP address belongs to actual GoDaddy vs a GoDaddy customer?
Hello :) You will need to contact their technical support department to have them verify if it's an IP address of one of their staff members. Thank you.0 -
Gotcha. I will contact them now and see if they can give me a list of IPs that I should whitelist. 0
Please sign in to leave a comment.
Comments
6 comments