How to track down hacker IP

[mambovince]

Hi,
One of my VPS servers was hacked.
This person was able to:
access my main cPanel account
change my contact email to a Yahoo email
change my server contact email to same Yahoo email
create a new account owned by root user with another Yahoo email address

I'm running WHM 10.8.0 cPanel 10.9.0-S80
Fedora i686 - WHM X v3.1.0

Have since changed my root password and the email addresses back, and deleted the new account.

Asked my VPS provider if they could have a look around, and also track down the IP so we can block it.

Amazingly, they said they cannot find the IP this person used.

I am no expert in such matters, but find this a little difficult to swallow.
Can anyone here help or know how?

Lastly, any cPanel exploit know that let's this happen?
Only thing I can think of is my password was 10 characters, and seem to remember cPanel had a problem with anything over 8?

Appreciate any help.

- Vince

[Infopro]

Username 8, passwords can be much longer. Have you dug thru the log files or were they removed?

[mambovince]

I am not capable to dig and identify which IP created the hacker account, that's why I asked my VPS provider.

Thanks for reply,

- Vince

[jayh38]

I would suggest asking them to reload a fresh template for you and get the vps
secured.

Provided someone obviously had access to the entire vps, you still may be
compromised and a firewall against proxy or easily changeable addresses
will stop no one.

Its not surprising that address traces may not be found as they do have
access to all your logs and the ability to edit at will.

If your provider will not or refuses to reload your template to a fresh
install, then seek another provider.

[mambovince]

jayh38,
Thanks for your reply.
Just to help me understand what you are suggesting, will the loading of a 'fresh template' affect existing data/accounts, so a bfull vps backup should be done beforehand?

If you don't mind explaining, what exactly does this do?

I was once told that a full backup was needed, and VPS rebuilt, then restore all the accounts. But surely, if the hacker has compromised and left scripts within any of the accounts, they would get in again and all was to no avail.

Am I missing something?

Many thanks,

- Vince

P.S. I forgot to mention that during the compromise the VPS was still using version 2.4.x kernel, but coincidently I was migrated to a VPS with 2.6.9-023stab033.9-enterprise just a few hours after. I believe this is a more secure kernel, and maybe due to migration I already have a 'fresh template' now anyway?