cpanel changes my users' passwords
Hello, I have a server with cloudlinux8 and cpanel with version 120 in a recurring or daily basis my users access password is changed, according to the logs indicates the following:
/usr/local/cpanel/logs/login_log
[2024-09-04 09:39:02 -0400] info [cpaneld] 104.129.44.111 - meditaci "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password
/usr/local/cpanel/logs/session_log
[2024-09-04 09:34:01 -0400] info [xml-api] 190.9.32.3 NEW meditaci:5Z9uH4sIIGvMAKNu:create_user_session address=190.9.32.3,app=Whostmgr::API::1::Session,creator=root,method=create_user_session
[2024-09-04 09:34:01 -0400] info [cpaneld] 104.129.44.111 PURGE meditaci:5Z9uH4sIIGvMAKNu:create_user_session loadsession loadsession
[2024-09-04 09:34:01 -0400] info [cpaneld] 104.129.44.111 NEW meditaci:h4osb9C60QDXjasq address=104.129.44.111,app=cpaneld,creator=root,method=handle_form_login,path=loadsession:meditaci:5Z9uH4sIIGvMAKNu:create_user_session,possessed=0
[2024-09-04 09:34:11 -0400] info [cpaneld] 104.129.44.111 PURGE meditaci:h4osb9C60QDXjasq logout
I have checked the cphulk logs as well as other logs that may be generating crashes but I do not see anything concrete, I also checked possible firewall crashes but nothing since it is only the login, the page or the cpanel login does not block it, it just does not allow to log in.
What can be happening?
-
it is possible that it is due to the cphulk configuration I leave here the reference that gave me the idea to configure my cphulk service in cpanel
WHM login attempt reports "Login is invalid" - cPanel0 -
Did you confirm that the issue was cPHulk?
0 -
i have same problem and cphulk its not the issue, users password change when assingn new one they can login their account's
regards
0 -
Alex Peralta - is this happening with multiple cPanel users on the machine, or just one account? If you change the password for the user, does that password that you have verified to work stop working later?
0 -
Hello cPRex this happening with all cpanel users when change to new password stops working pass feew days
0 -
It sounds like the accounts are compromised on some way. Do you see anything in /usr/local/cpanel/logs/access_log for 'passwd' from IP addresses you don't recognize?
0 -
Hello cPRex i see some ips out of my customers country i was talking with administrator server and told me in june server was atacket and infected by malware, malware was cleaned but accounts still change password, he delete al public_html folders and restore backups or customer upload again his sites.
regards
0 -
It sounds like there is either still malware on the server, or someone is intercepting the traffic to get the current passwords. Was this malware on the root of the system? If so, that can't be cleaned, and the data should be migrated to a new system.
0
Please sign in to leave a comment.
Comments
8 comments