cPanel contact email changed by hackers

[awogor]

Hello,

I noticed over 149k pages indexed for my sites on google and when I checked there where chinese.

I tried logging into wordpress but couldn't. At this point my whole mood changed, thoughts feelings and everything literally changed.

I logged into cpanel and found out that only 2 sites in my cpanel account are safe there rest has been tempered with, new files added by hackers.

I began the fix by changing passwords and enabling two-factor authentication for both WHM and cPanel users with google authenticator.

A few minutes (2 minutes) I received an email alert from cpanel that my email has been changed to “[email protected]”.

I quickly logged in back and change the email back. I'm posting the email so if it is a known hacker as seen on this report Email [email][email protected][/email] spam report

I all the folders in the cpanel account I can't delete them.

I've uninstalled WordPress and trying to get rid of all the files in the domain root folder to enable me to upload the backup.

Each time I try to delete it I get the following errors.

(VPS Server) Name Says:
FileOp Failure on: /home/username/public_html/domainexample.com: Directory not empty


Please I need help

 

[cPRex]

Hey there! It sounds like the cPanel account itself was compromised. if the user had access to the files on the account, they would be able to manually update the account's contact information.

You aren't able to remove directories that aren't empty through the cPanel >> File Manager tool - that's a safety mechanism to avoid people accidentally deleting directories. You may want to consider using an FTP client to perform that work instead.

I'd also recommend performing a security/malware scan of any local workstations that had access to cPanel, as that is the most common way passwords are stolen.