Simple script to send you all new logins of the day. Seeing something strange would trigger further research.
#!/usr/bin/perl
chdir('/root');
$d = `date +%m/%d/%Y`;
chomp($d);
@logins = `cat /usr/local/cpanel/logs/access_log|grep $d|awk '{print $1 " " $3}'|sort|uniq`;
$x = "";
foreach(@logins) {
chomp;
/(.*?) (.*)/;
next if $2 eq "-";
$z = `whois $1|grep addres|tail -n 1`;
chomp($z);
$x.="$z $1 $2n";
}
if (not -f "./latestscan") {
`touch ./latestscan`;
}
$y = `cat ./latestscan`;
exit if $y eq $x;
open(F, ">latestscan");
print F $x;
close F;
$sendmail = "/usr/sbin/sendmail -t";
open(SENDMAIL, "|$sendmail") or die "Cannot open $sendmail: $!";
print SENDMAIL "Reply-to: root@myserver.orgn";
print SENDMAIL "Subject: Login report hostf1n";
print SENDMAIL "To: alerts@yourserver.comn";
print SENDMAIL "Content-type: text/plainnn";
print SENDMAIL $x;
close(SENDMAIL);