Large Number of Failed Login from server ITSELF

Portal Home > Knowledgebase > Articles Database > Large Number of Failed Login from server ITSELF

Posted by astraeuz, 06-19-2011, 02:22 PM
Hi, I've enable cPHulk Brute Force Protection on the server so it notifies me of the suspicious activity. BUT, what made me worry is that the email I received mentions that the failed login attempt was made from the server itself and no mention of the IP address... ------------------------------------------------------------ Subject: Large Number of Failed Login Attempts from IP christopher Msg Body: 2 failed login attempts to account christopher (system) -- Large number of attempts from this IP: christopher (no IP) Reverse DNS: www.serveraddr.com ------------------------------------------------------------ can someone comment on what could be the issue?
Posted by wartungsfenster, 06-19-2011, 02:56 PM
Does it say that "2" is a large number of bad logins?
Posted by RadicalBro-Dylan, 06-19-2011, 02:56 PM
Hi, That happened to me once, I never found out what the problem was. Maybe a website pinging it? - Im not too sure Dylan, RadicalBro
Posted by cpanellover, 06-19-2011, 03:30 PM
that is WHM bruteforce(cpHulkd) protection but your thresshold seems a bit tight use something like logcheck that will give you more information you can configure that in whm security...
Posted by linuxtechz, 06-20-2011, 05:17 AM
Hey , Check your cpanel and message log files at /usr/local/cpanel/logs/login_log and /var/log/messages to see failed login attempts . Its possible to have a php shell uploaded and then trying to do dictionary attack to the server for which it might say the host as localhost in this case as you have mentioned.

Add to Favourites Print this Article