Here's the 24h audit. Times are EEST (UTC+3) unless noted. Host IDs: ist=49, jah=144, sur=161, cham=162.
1. New IP 5.2.230.242 got root-equivalent access on TWO hosts within 24h. This is the only finding that actually needs a yes/no from you tonight.
sur): SSH Failed password for invalid user root from 5.2.230.242 (sshd[2416781]). "Invalid user" = sur denies root SSH, so we never know if the password was right.ist): SSH Accepted password for root from 5.2.230.242 port 39614 (sshd[1694829]) — 18 seconds after the sur attempt. Same minute window, different host, succeeded.cham): cPanel login success for user jiva (rule 11006). 11 seconds later, 09:56:32 same host: WHM root login success (rule 11009). Both via web (whostmgrd / cpaneld), same source IP.actors row id=851: first_seen 2026-05-01 05:58:02 — this IP has no history before yesterday and no notes/threat_score. By contrast the long-standing admin connection from 82.76.239.154 user locksmith is publickey-only (23 logins to ist, all ED25519 SHA256:dzYBty9L+ROyyQTWPQy2DWHFn7bdaecU/xnuWzjbKS8). 5.2.230.242 is using passwords instead.jiva password immediately, then audit ~root/.bash_history, last, and /var/cpanel/sessions/raw/* on both hosts.2. Cross-host SSH config drift: ist and jah permit root password SSH; sur does not. cham SSH posture unverified.
141.11.21.145 hit all three on 2026-05-01: on sur it returned Failed password for invalid user root (id 616), on jah and ist it returned Failed password for root (ids 626, 623) — no "invalid". The "invalid user" variant means sshd's PermitRootLogin no filter rejected the username before checking the password.sur and walked into ist.PermitRootLogin prohibit-password (or no) on ist, jah, and confirm cham. ist alone has 698 failed-password events in the last 24h, all aimed at a root login that should not be reachable by password.3. Same IP family probed /webshell on three customer sites ~7h before the cPanel jiva login — coincidence flag, not proof.
cham): [147.185.132.10:61680#APVH_jiva.ro]: File not found [/home/jiva/public_html/webshell].sur): [205.210.31.57:60036#APVH_airsoft6.ro]: File not found [/home/airsoft6/public_html/webshell].cham): [147.185.132.46:57536#APVH_immune.ro]: File not found [/home/immune/public_html/webshell].jiva cPanel account that 5.2.230.242 logged into 6h35m later was one of the three probed. Probably noise (jiva.ro is a real customer site so it gets scanned routinely), but worth knowing for context on finding #1.4. NWS's own service@nws.ro is being spoofed in spam runs. Mail server rejected them — still tells us the domain is in spam circulation.
F=<service@nws.ro> rejected RCPT <safe@safedocumentary.com> from 209.99.191.9 between 2026-05-01 21:05:02 and 21:05:09 (host ist). All hit because the spammer didn't auth on port 587 — our config caught it.mihai@almaclima.ro self-spoofed from 95.59.223.118 (12×), cpanel@jah.nws.ro → root@jah.nws.ro (4×), three different @trucks-expedition.ro recipients hit by Booking@no-reply.com from safehouseconstructioncompany.com [188.127.224.145].safedocumentary.com complains about being targeted in your name, the evidence is in events ids 11759-11765. Consider adding nws.ro to a DMARC reporting feed if you don't already.5. No new cPanel/WHM account creations, no Imunify malware detections, no SSH brute-force IP that succeeded other than 5.2.230.242.
wwwacct/accountcreate/account created over 24h: 0 results.aibolit_wrapper scan-scheduler activity and imunify-agent-proxy JWT secret rotations. The single cross-host repeat-offender worth recording (141.11.21.145, 32 attempts across ist/jah/sur) only attempted clz and root — never succeeded.6. Two hosts report packages installed in the last 24h — Zabbix flag, no further detail in our pipeline.
ist): Linux: Number of installed packages has been changed.jah): same.yum/dnf anything on ist or jah yesterday? If no, run rpm -qa --last | head -20 on both — five-minute check, settles it.Bottom line for your time: finding #1 is the only thing where a wrong answer matters. If 5.2.230.242 is you, everything below it is hygiene (#2 fix the drift, #6 confirm the package change). If it isn't you, drop everything and start with rotating ist root + cham WHM root + jiva cPanel passwords.