Accepted password for root SSH on ist yesterday 12:58 EEST. Need yes/no: was this you?Evidence (Graylog, ossec rule 11009 "WHM login success"):
2026-05-02 09:56:32 +0300 cham — whostmgrd 5.2.230.242 NEW root:59nD6WmILyrRwV8Ucpaneld 5.2.230.242 NEW jiva:NXPjjQE5... (cPanel customer "jiva")nicu@nemesis.ro Roundcube webmail traffic on cham (port 2096)May 1 12:58:18 ist sshd[1694829]: Accepted password for root from 5.2.230.242 — root SSH password auth, not keyThe mix is unusual: customer webmail + customer cPanel + WHM root + root SSH-password, all from one residential RO IP. If 5.2.230.242 is yours, this is admin activity. If not, the root credentials for both ist and cham are owned. Confirm or rotate root passwords on ist and cham now.
24h breakdown of SSH password failures:
Failed password for root (root permitted, just wrong pw)Failed password for root (root permitted)Failed password for root + 2 for invalid user root (root permitted, mixed config)Failed password for invalid user root (PermitRootLogin no)Combined with finding #1 (root password actually accepted on ist), this is a real exposure not just a hardening nit. Recommendation: set PermitRootLogin prohibit-password (or no) on ist, jah, cham to match sur. Force key-only for root.
locksmith from 82.76.239.154 on ist in 7 minutes (20:00–20:07 EEST). Need yes/no: is locksmith your deploy automation?All 22 successes in the 24h window have the same fingerprint (ED25519 SHA256:dzYBty9L+ROyyQTWPQy2DWHFn7bdaecU/xnuWzjbKS8) and the same source IP (RO RDS residential). The IP also tried GET /cpsess0345293844/json-api/loadavg against ist:2087 WHM and got 403 (no valid WHM session). Tight burst pattern is consistent with a deploy script or admin running a sequence of cap-style commands; a key-only attacker would normally pivot to a shell, not loop. Low risk if it's yours — high risk if not.
Top sources hammering /login/?login_only=1 and /cpsess*/json-api/version as root:
Heavy AWS prefixes (3.x / 13.x / 34.x / 54.x) — rented attack infrastructure. Recommendation: confirm cPHulkd is set to brute-force-protect and consider geo/ASN blocking of WHM ports (2086/2087) to RO+admin VPN only.
141.11.21.145 hit 3 of 4 cPanel hosts (ist, jah, sur) — 32 coordinated attempts.Cross-host attackers in 24h:
141.11.21.145 → 3 hosts, 32 attempts117.50.70.169 → 2 hosts, 24 attempts78.128.112.74 → 2 hosts, 5 attemptsTop single-host volumes: 122.187.219.78 259 attempts on jah; 51.77.158.34 55 on ist; 52.233.193.61 53 on cham. Routine noise individually, but the multi-host pattern means someone is iterating the cluster. Recommendation: drop these at the perimeter (cluster-wide fail2ban or upstream firewall).
Inbound exim rejections from 185.169.4.10 (random short HELO names like bWsOtNqKLv, fgpxGd) using these forged senders:
subjectivistic@nemesis.ro (cham, jah, ist)vanzari@gabrosprod.ro, movieola@gecauto.ro, knickknackery@info-jobs.ro, movieola@frial.ro, knickknackery@frial.ro (jah)All blocked locally — but downstream receivers worldwide getting these will damage the reputation of those customer domains. Recommendation: confirm SPF/DKIM/DMARC are tight on nemesis.ro, gabrosprod.ro, gecauto.ro, info-jobs.ro, frial.ro; offer to publish DMARC p=reject if any are still p=none.
LSAPI saturation on cham (chronic, per playbook), Apache IM360 WAF: Track spam warnings (block noise), Imunify routine INFO logs (no actual MALWARE_DETECTED hits in 24h), Ceph cluster health is not OK on Zabbix (single 01:37 event, no follow-up — flag if it recurs).
last/auth.log for what that session did.