Hello all,
I have a server with WHM/Cpanel (bought directly from Cpanel, so nobody in the datacenter I can ask about this) and sunday something strange happened. Someone logged in a website's cpanel, deleted all email accounts and created one for himself, that he used to spam via Horde.

I checked /usr/local/cpanel/logs/ for some details and I noticed that the IP listed there is 127.0.0.1 instead of his real IP. The user's password was not easy to guess (a random combination of letters/numbers 8 characters wide) so either he obtained it someway or was able to hack it in some other way. Anyone else had something similar happening?

Thanks

Stefano