Skip to main content

info [cpaneld] Internal Server Error: POST..

Comments

11 comments

  • rbairwell

    Does it list an inbound IP address as all? If it does and it isn't one you recognise (even after doing a reverse DNS lookup), I would be inclined to block it/them as it's someone (probably an automated process) trying to login to your system (although given the error, I would guess they aren't formatting the request correctly).

    0
  • perplex

    Hi, No IP address listed, the full log line in "/usr/local/cpanel/logs/error_log" is [2024-02-28 12:45:48 +0000] info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500 Error ID 35b9bc3259fb0.

    Is there a way to get more info from other server logs maybe?
    or using the given Error ID?
    thanks.

    0
  • cPRex Jurassic Moderator

    Does this correlate to any timestamps for a particular user on the server in the domlogs on the system?

    0
  • perplex

    No, I cannot find anything in domlogs at, or around, that exact same time that shows a HTTP 500 message! :(

    0
  • cPRex Jurassic Moderator

    What about inside /usr/local/cpanel/logs/access_log?  I would expect *something* to show up there if someone is trying to login to a service that cPanel controls.

    0
  • perplex

    Ok, so I found one entry in the access_log:

    "216.131.116.28 - flowers%40mylongdomain.uk [02/28/2024:12:45:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 500 0 "https://mylongdomain.uk:2083/login/?login_only=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" "-" 2083"

    This occurred three seconds prior to the error log time of 12:45:48, so I'm not sure if this is what caused it maybe? or what action I need to take? thanks

    0
  • cPRex Jurassic Moderator

    three seconds is pretty close.  You could always block the IP address out of an abundance of caution and then see if anyone complains about being able to access things.

    0
  • perplex

    Having grep'd the full log, I can see at least 30 IP's that have all used that string format and caused the error: "info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500". What I would like to know, is if this error is due to a problem with my cPanel installation or server setup? Blocking these offending IP's each day manually will be too time consuming.

    0
  • cPRex Jurassic Moderator

    Better question - are you getting notified about these from somewhere else?  It honestly just sounds like bot activity to me if there's that many IPs doing this and not just a one-off incident.

    0
  • perplex

    No, I am not getting notified about these errors; this is a direct result of my searching "/usr/local/cpanel/logs/error_log" in an effort to resolve another issue I have, see "https://support.cpanel.net/hc/en-us/community/posts/21517616202903-cP-update-and-cP-backup-freezes-server"

    Yes, I agree it's definitely bots.

    0
  • cPRex Jurassic Moderator

    You'll just want to ensure that WHM >> cPHulk Brute Force Detection is turned on so it blocks users with too many failed logins.

    0

Please sign in to leave a comment.