false whm root login alert

[whwh1]

Hi,

Minutes ago, i received a false positive.

root@X [~]# cat /usr/local/cpanel/logs/access_log |grep XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX - - [10/04/2009:02:46:19 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - root [10/04/2009:02:46:28 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:20 -0000] "GET /unprotected/cpanel/favicon.ico HTTP/1.0" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:20 -0000] "GET /unprotected/cpanel/style.css HTTP/1.0" 200 0 "Xttp://YYY.YYY.YYY.YYY:2086/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:20 -0000] "GET /unprotected/cpanel/images/log_02b.jpg HTTP/1.0" 200 0 "Xttp://YYY.YYY.YYY.YYY:2086/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:21 -0000] "GET /unprotected/cpanel/images/log_01_whm.jpg HTTP/1.0" 200 0 "Xttp://YYY.YYY.YYY.YYY:2086/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:21 -0000] "GET /unprotected/cpanel/images/button-bg.jpg HTTP/1.0" 200 0 "Xttp://YYY.YYY.YYY.YYY:2086/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:47:21 -0000] "GET /unprotected/cpanel/images/log_03.jpg HTTP/1.0" 200 0 "Xttp://YYY.YYY.YYY.YYY:2086/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - - [10/04/2009:02:50:48 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"
XXX.XXX.XXX.XXX - root [10/04/2009:02:50:53 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"

Can you confirm it's a false positive ?

[chirpy]

XXX.XXX.XXX.XXX - root [10/04/2009:02:50:53 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3"

That line suggests a failed root login from XXX.XXX.XXX.XXX which cause the trigger.

[whwh1]

Hi chirpy,

Shouldn,t the alert be sent only when the root login is successfull ? Or else, be sent everytime a root login failed ?

[shenzy]

Hello!
This morning I've also received a false positive "WHM root login alert".
Never before had received false-positive, And how did not know if access had been achieved, I panic a bit and I decided immediately to change the root password and reboot the server .
Then more calmly, review the logs and perform some tests...
In my case I did a test directly entering the url of phpmyadmin in cPanel. (httpxxx://wwwxxx.TestDomian.com:2082/frontend/x3/sql/PhpMyAdmin.html, and when he asked username and password, I enter "root" without password. Obviously the system will not let me login but I get an immediate email "WHM root login alert".

PDT: The "xxx" in the URL are for the antispam in forum.

[ForumAdmin]

We'll have a fix for this in the next release.

[shenzy]

thank you very much!!

[whwh1]

thanks to the devs for this.