Adding accounts without logging into WHM - hacked?


May 20, 2010

I have just noticed and deleted 2 accounts that have been created in my WHM install.

Someone has managed to add these accounts to point to known spam sites.

What I'd like to know, is how this could happen, especially if they have no access to WHM via logging in as root?

Also, how I can prevent this from happening in future?

I have changed the root password to the server for added security,


Well-Known Member
Mar 30, 2003
cPanel Access Level
Root Administrator
Did you by chance try to search the logs or do anything before deleting them? You could have checked what time the account was created (based on timestamps of the home dir files) and then cross check the logs to see what exactly happened.


Well-Known Member
Feb 25, 2010
Houston, TX
cPanel Access Level
Root Administrator

The directory /usr/local/cpanel/logs contains several logs that can be very useful.

access_log logs all access to the WebHost Manager and cPanel. It is very verbose, with source and destination IP addresses, timestamps, and the exact URLs requested. It is in an Apache-style format.

error_log logs errors that occur in cPanel-related services.

login_log logs logins to the WHM, cPanel and Webmail.

There is no provision for viewing these logs via the WebHost Manager. They must be viewed using the shell as root, using cat or less or grep.


Jun 24, 2005
Someone has managed to add these accounts to point to known spam sites.
That statement alone tells me that you have been root compromised

First thing I would do is change all your passwords and perform full anti-virus and trojan scans on your home computer just for safety though none of that in and of itself may help too much at this point.

The compromise could have come in from a wide variety of sources from an exploit to stealing your own root password to brute force attack but the larger issue is that your server at this point has indeed been compromised and I would be willing to bet they did a lot more than just create accounts.

Standard modus operandi for hacking is once you gain access to a server is to create multiple backdoor ways back into the server and cover your tracks modifying log traces to evade quick detection.

You have accounts mysteriously appearing and also being used for what you described then you have a very serious problem and at this point very likely have rootkits and other hacker related processes installed that you still don't know about.

If you are extremely lucky, all they did is created the accounts but I very seriously doubt that is all that has been done. :rolleyes: