Knowledgebase

Portal Home > Knowledgebase > Articles Database > Successful Login as "user" but why?


Successful Login as "user" but why?




Posted by aniga17, 09-07-2015, 09:18 AM
Hi, I am getting login notification from one of cpanel accounts in my server but i am asking why i am getting these notifications from this account? because i am not getting notifications from other users. this is screenshot. Domain: domain.com Service: cpaneld Local IP Address: My Server IP Local Port: 2082 Remote IP Address: XX.XX.XX.XX Remote Port: 50358 Authentication Database: system Username: user Known Network †: Yes I have tried to find what the user of this account was doing i get this"User [09/07/2015:08:34:50 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password" ==Also== Successful Login as "user" from Local Machine Domain: domain.com Service: securityadminbin Remote IP Address: 127.0.0.1 Authentication Database: system Username: user Known Network †: Yes † A "Known Network" is an IP address range or netblock that contains an IP address from which a user successfully logged in previously. Anyone can tell me what is this?
Posted by Srv24x7, 09-07-2015, 10:25 AM
Hi, ------------------------- ------------------------- User [09/07/2015:08:34:50 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password" ------------------------- ------------------------- The above means the a login is attempted from this user and permission was denied to it. However, not clear what user he was, probably he is trying to crack it, not sure. A IP from which it is attempted should also be checked for, you will get a clear idea whether this is a legitimate user or someone is trying to hack it. Check the logs a bit for more information.
Posted by DivinePrad, 09-08-2015, 07:00 AM
This is a new feature present from cPanel 11.48+ . Users can set alerts for successful cpanel logins, so that they will be notified immediately if their account is compromised. Please check if there is an option "Send notifications to your contact email address upon successful login". The contact email address of that domain would probably be your email address itself, and hence you are receiving the emails. If you check the headers/From address, you will get a better idea from where those mails are sent.
Posted by aniga17, 09-09-2015, 06:41 AM
Successful Login as "user" from Local Machine Domain: website.com Service: imap Local IP Address: 127.0.0.1 Remote IP Address: 127.0.0.1 Authentication Database: system Username: user Known Network †: Yes
Posted by Srv24x7, 09-09-2015, 09:38 AM
Hi, They seem to be normal notifications, not to be concern of. Check the "Service:" line in those notifications and you will see what service it has done this activity for. cPanel, IMAP are normal and they will be using this regularly.
Posted by ServerManagement, 09-09-2015, 11:00 AM
The best thing to do is check the raw logs and see what is going on. The logs will show you exactly what they accessed and if they really successfully logged in or not and also what it is doing. The 127.0.0.1 are logins from within the server, such as if you have a script logging into a service within the server.
Posted by HWH-Bradley, 09-09-2015, 11:09 AM
If you have any good brute force detection mechanism like BFD or LFD, then nothing to worry. It will block those failed logins.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Re-selling dedicated server space (Views: 501)
Setup FTP on Azure Linux centos VM (Views: 508)
Failed To Connect To Database (Views: 505)
Prevent flash from cache? Direct stream? (Views: 773)
Amazon EC2 very slow? (Views: 543)

Language: