Verizon FIOS software reloads causing large numbers of Cpanel hits

2 réponses [Dernière contribution]
amenex
Hors ligne
A rejoint: 01/03/2015

For months two of my seldom-visited domains have been receiving a great many apparent Cpanel login attempts.

Yesterday I correlated the number of login attempts to repeated crashes of the software that Verizon FIOS uses to operate their set-top TV boxes by comparing the accesses to the Cpanel IP address of one domain to the number of Cpanel accesses recorded in the visitor logs of the two affected domains. The sum of such accesses was fifty - twice the number of times the wireless router recorded accesses to one domain's IP address. A second domain has an entirely different IP address for its Cpanel server. The default gateway IP address of the router starts with the same number as the IP address of the one domain that got the most hits on Cpanel.

My hypothesis is that when Verizon reloads the operating system of its set-top boxes it is hitting on Cpanel for every domain on my LAN, not just the set-top boxes, but also (for a reason unknown to me) on domains under my control which also use Cpanel. Verizon's access protocols don't work on the two affected domains, so there's no harm, but there is a defect in the Verizon hardware that causes my set-top boxes to crash frequently (they really do, to the point of severe annoyance) so my two domains' visitor logs are getting filled up with Cpanel access records.

A third domain is getting completely ignored during this process - it only records Cpanel accesses when I access Cpanel myself.

My browser records all of my own Cpanel access requests in its History file, but records none of the Cpanel accesses that are apparently coming in independently of the browser. Of course, my browser's IP address is what gets recorded in the domains' visitor access logs, so it looks as though I have some malware on my computer.

As I've said, Verizon frequently reinstalls its software to the set-top boxes; but the router traffic logs show that Verizon also is accessing the computers on my LAN, as shown in this brief snippet of the router log:

[Quote]
May 18 23:41...LAN Connection IP:192.168.1.101, DNS:192.168.1.1, GTW:192.168.1.1,Subnet:255.255.255.0 (Ethernet)
May 18 22:54...SysLog DHCP WAN ... IP:71.MYIPAddress,DNS:71.DomAddress01 71.DomAddress02 ,GTW:71.Address.1,etc.
May 18 22:36...SysLog DHCP LAN ... IP:192.168.1.100, DNS:192.168.1.1, GTW:192.168.1.1,etc. (Ethernet)
May 18 20:54...SysLog DHCP WAN ... IP:71.MYIPAddress,DNS:71.DomAddress01 71.DomAddress02,GTW:71.Address.01,etc.
[repeated 2 times, last time on May 18 21:54...]
May 18 20:43...SysLog DHCP LAN ... IP:192.168.1.3, DNS:192.168.1.1, GTW:192.168.1.1,etc. (Wireless)
May 18 19:54...SysLog DHCP WAN ... IP:71.MYIPAddress,DNS:71.DomAddress01 71.DomAddress02 ,GTW:71.Address.01,etc.
May 18 19:48...SysLog DHCP LAN ... IP:192.168.1.3, DNS:192.168.1.1, GTW:192.168.1.1,etc. (Wireless)
May 18 18:54...SysLog DHCP WAN ... IP:71.MYIPAddress,DNS:71.DOMAddress01 71.DOMAddress02 ,GTW:71.Address.1,etc.
May 18 18:00...SysLog DHCP LAN ... IP:192.168.1.5, DNS:192.168.1.1, GTW:192.168.1.1,etc. (Wireless)
[repeated 2 times, last time on May 18 18:36...]
[/Quote]

Most of the above accesses occurred late at night after both of our computers were turned off, and so they were not all seen by my DOMAddress02's Visitor Access log from the same day:

[Quote]
71.MYIPAddress - - [18/May/2017:17:07...] "GET /cpanel/ HTTP/1.1" 200 9050 "-", etc.
71.MYIPAddress - - [18/May/2017:17:07...] "GET /img-sys/bg.jpg HTTP/1.1" 200 508 "http://DOMAddress02/cpanel/" etc.
71.MYIPAddress - - [18/May/2017:17:07...] "GET /img-sys/headerbg.jpg HTTP/1.1" 200 9366 "http://DOMAddress02/cpanel/", etc.
71.MYIPAddress - - [18/May/2017:17:07...] "GET /img-sys/contentbox.jpg HTTP/1.1" 200 8846 "http://DOMAddress02/cpanel/", etc.
71.MYIPAddress - - [18/May/2017:17:07...] "GET /favicon.ico HTTP/1.1" 404 236 "-" etc.

71.MYIPAddress - - [18/May/2017:17:14...] "GET /cpanel/ HTTP/1.1" 200 9050 "-", etc.
71.MYIPAddress - - [18/May/2017:17:14...] "GET /img-sys/bg.jpg HTTP/1.1" 200 508 "http://DOMAddress02/cpanel/", etc.
71.MYIPAddress - - [18/May/2017:17:14...] "GET /img-sys/headerbg.jpg HTTP/1.1" 200 9366 "http://DOMAddress02/cpanel/" etc.
71.MYIPAddress - - [18/May/2017:17:14...] "GET /img-sys/contentbox.jpg HTTP/1.1" 200 8846 "http://DOMAddress02/cpanel/" etc.

71.MYIPAddress - - [18/May/2017:20:52...] "GET /cpanel/ HTTP/1.1" 200 9050 "-", etc.
71.MYIPAddress - - [18/May/2017:20:52...] "GET /img-sys/bg.jpg HTTP/1.1" 200 508 "http://DOMAddress02/cpanel/",etc.
71.MYIPAddress - - [18/May/2017:20:52...] "GET /img-sys/headerbg.jpg HTTP/1.1" 200 9366 "http://DOMAddress02/cpanel/",etc.
71.MYIPAddress - - [18/May/2017:20:52...] "GET /img-sys/contentbox.jpg HTTP/1.1" 200 8846 "http://DOMAddress02/cpanel/",etc.
[/Quote]

The file /favicon.ico is not present in "http://DOMAddress02/cpanel/" so its request must be coming from Verizon ... and it's not in our computers, either.

I might guess that the similarity of 71.DOMAddress02 to GTW:71.Address.1 might explain how DOMAddress02 got its Cpanel hits, but DOMAddress01 is entirely different, and DOMAddress03 gets none of these hits, perhaps because it's on a business server with protections against brute force attacks on Cpanel ?

amenex
Hors ligne
A rejoint: 01/03/2015

It turns out that what I identified above as 71.DomAddress01 and 71.DomAddress02 are the DNS servers designated by the router; my hypothesis that the Cpanel hits are the consequence of broadcasting the software updates and Cpanel login attempts to everything on the LAN still stands.

amenex
Hors ligne
A rejoint: 01/03/2015

Turns out that the explanation of this sinister observation is actually rather benign: ABrowser preloads URL's that I visit regularly, and so my two smaller domains dutifully record the accesses to Cpanel and several associated .gif images, but my much larger third domain, hosted on a business server, discards those extra access requests, which aren't even login attempts.

On the other hand, my other browser, IceCat, doesn't preload any historically visited pages, so the Recent Visitors logs in my two smaller domains don't record any Cpanel vists when I haven't made any.

There have been no Cpanel visits from other than my own IP address; almost all malevolent visits have been reflected in attempts to open nonexistent WordPress files.