How to find out which IP changed the root password

Daniel Berthiaume

• May 12, 2016 12:46

Hi, I'm currently trying find out which IP change the root password in a cPanel server. I'm trying to browse in the /usr/local/cpanel/logs/access_log file without success. Is there a quick method for finding which IP change the root password?

• 

  Daniel Berthiaume

  • May 12, 2016 18:08

  Update, I've found that in the file /var/log/secure I can see password changed my from ssh command, but I can't see the root password changed made from inside cPanel. (Which is what I need to find out...)

  0
• 

  SysSachin

  • May 12, 2016 18:09

  Hello, Please try to find logs in the /var/log/secure file. You can use the command
  grep passwd /var/log/secure
  Also, check in the cpanel access logs using bellow command. grep chrootpass /usr/local/cpanel/logs/access_log |grep POST

  0
• 

  Daniel Berthiaume

  • May 12, 2016 18:20

  Thank you, I was missing the keyword "chrootpass" to make my life easier!

  0
• 

  cPanelMichael

  • May 23, 2016 20:12

  Hello, I'm happy to see the previous response was helpful. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.