Knowledgebase

Portal Home > Knowledgebase > Articles Database > Cpanel send me Mail someone Login as root it was not me!


Cpanel send me Mail someone Login as root it was not me!




Posted by Slatko, 02-16-2011, 04:47 PM
I get from my Cpanel Server an email everytime when someone Login as Root in WHM and SSH. I get an mail someone Login as Root today but i dont Login today. So after first shock i Log me in WHM and change Root Password, after i make an Reboot. Than i log me in ssh and change Root Password again. Than i look in WHM what he has done, only what i find was Disable the Automatic Updates. Than i go in with ssh, make an rkhunter chkrootkit clamav Scan. All 3 found nothing. So my question is how he get in my WHM because IDF checks all Bruteforce and this Login was from an Standard inet Ip from germany. I know it was not an Bruteforce, what i think is the following. Trojan my PC or my Wlan. I use Ubuntu so is Trojan not realy an opinion, my Wlan i has check dont was anybody this year in. Damn how he get in my WHM??? Knows anybody how this was possible?
Posted by Hsunami, 02-16-2011, 04:52 PM
Is this server managed? If so, would there be any reason for your provider to log in to do anything? If it was not bruted, they must have known your PW somehow, either through a keylogger/trojan on your local machine. You don't remember giving out root access to anyone?
Posted by Slatko, 02-16-2011, 04:57 PM
No managed than i has ask the manager first. I use Ubuntu only to manage my Servers. MMMMM i get an friend the Root Login for long time, and i know he is using Windows but i know his IP is never an german.
Posted by Hsunami, 02-16-2011, 05:04 PM
It could be possible that your friend's workstation got infected with a trojan.
Posted by Slatko, 02-16-2011, 05:08 PM
I test this now, i send him the new Root password. When in next hours again someone Login as Root i know he is it. Its very good that i get emails everytime when someone Login. He has only 1-2 times as root, when he has more time damn. But i swear it was an nice shock hahaha
Posted by Hsunami, 02-16-2011, 05:13 PM
Wait, you're testing this by giving your friend the new root login? Why not ask your friend to scan his workstation?
Posted by Slatko, 02-16-2011, 05:21 PM
An Virus Scan he has made but its say nothing. It gives for some $ Tools to make an Trojan undetected from Virus Scan. But i think when it was an trojan by him, how big is the chance that the ip that login is from my city? And i know i has set Updates from Cpanel to automatic, and this was Disable now.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Postgre phpbb3 install problem (Views: 551)
Server management service (for CentOS/RHEL+litespeed+cPanel/WHM) (Views: 597)
REGISTER NAMESERVER ! A BIG BIG TROUBLE FOR ME (Views: 648)
need ffmpeg host with lite speed and red5 if this can (Views: 604)
URL Rewrite using ISAPI_REWRITE (Views: 585)