info [cpaneld] Internal Server Error: POST..
Hello, I am getting a lot of these messages "info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500" in "/usr/local/cpanel/logs/error_log". I have searched high and low but I cannot understand where, or what these are? Any help appreciated to investigate issue further.
-
Does it list an inbound IP address as all? If it does and it isn't one you recognise (even after doing a reverse DNS lookup), I would be inclined to block it/them as it's someone (probably an automated process) trying to login to your system (although given the error, I would guess they aren't formatting the request correctly).
0 -
Hi, No IP address listed, the full log line in "/usr/local/cpanel/logs/error_log" is [2024-02-28 12:45:48 +0000] info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500 Error ID 35b9bc3259fb0.
Is there a way to get more info from other server logs maybe?
or using the given Error ID?
thanks.0 -
Does this correlate to any timestamps for a particular user on the server in the domlogs on the system?
0 -
No, I cannot find anything in domlogs at, or around, that exact same time that shows a HTTP 500 message! :(
0 -
What about inside /usr/local/cpanel/logs/access_log? I would expect *something* to show up there if someone is trying to login to a service that cPanel controls.
0 -
Ok, so I found one entry in the access_log:
"216.131.116.28 - flowers%40mylongdomain.uk [02/28/2024:12:45:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 500 0 "https://mylongdomain.uk:2083/login/?login_only=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" "-" 2083"
This occurred three seconds prior to the error log time of 12:45:48, so I'm not sure if this is what caused it maybe? or what action I need to take? thanks0 -
three seconds is pretty close. You could always block the IP address out of an abundance of caution and then see if anyone complains about being able to access things.
0 -
Having grep'd the full log, I can see at least 30 IP's that have all used that string format and caused the error: "info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500". What I would like to know, is if this error is due to a problem with my cPanel installation or server setup? Blocking these offending IP's each day manually will be too time consuming.
0 -
Better question - are you getting notified about these from somewhere else? It honestly just sounds like bot activity to me if there's that many IPs doing this and not just a one-off incident.
0 -
No, I am not getting notified about these errors; this is a direct result of my searching "/usr/local/cpanel/logs/error_log" in an effort to resolve another issue I have, see "https://support.cpanel.net/hc/en-us/community/posts/21517616202903-cP-update-and-cP-backup-freezes-server"
Yes, I agree it's definitely bots.0 -
You'll just want to ensure that WHM >> cPHulk Brute Force Detection is turned on so it blocks users with too many failed logins.
0
Please sign in to leave a comment.
Comments
11 comments