For the past few weeks we've been getting alerts that one of our cPanel users has been logging into the server via SSH under their cPanel account name. We have client SSH logins disabled across the board, and just to be safe, I confirmed with our test account that regular users can't log in. He doesn't show up in last, his .bash_history is empty (I realize that can be easily cleared), and I don't see any other signs of him actually logging in.
It appears to be a false alarm.
Has anyone else experienced this? Before I bug the CSF team, I wanted to check in here to see if this was a common or known problem.