got my cpanel vps chacked today, anyone can helps?

ronanc

Registered
May 15, 2013
4
0
1
cPanel Access Level
Root Administrator
Hi guys, after a long time my vps was chacked today, andd i dont know how

i received this emails on my admin mails

Time: Fri May 30 22:19:41 2014 -0300

Reported Modifications:

New account [rs] has been created with uid:[546] gid:[557] login:[/home/rs] shell:[/usr/local/cpanel/bin/noshell]

Time: Fri May 30 21:50:38 2014 -0300

Reported Modifications:

New account [wh] has been created with uid:[545] gid:[556] login:[/home/wh] shell:[/usr/local/cpanel/bin/noshell]


Time: Fri May 30 21:54:38 2014 -0300

Reported Modifications:

Account [wh] login shell has changed from [/usr/local/cpanel/bin/noshell] to [/bin/bash]


Time: Fri May 30 22:25:41 2014 -0300

Reported Modifications:

New account [whm] has been created with uid:[547] gid:[558] login:[/home/whm] shell:[/usr/local/cpanel/bin/noshell]



Any one can help to understand what this changes do?

After see this i power down the vps!

How can i revert this changes ???

Can cpanel crew get acess to the server and helps me???

thanks
 

24x7server

Well-Known Member
Apr 17, 2013
1,913
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

First of all change your root password of your VPS and deleted the all unwanted account which are created on your server. Also disable the all shell access of your cPanel user. And try to scan your server through LMD and Clamscan
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
584
24
143
cPanel Access Level
Root Administrator
Hello,

If your server is root compromised, then the only solution is to reload the operating system, re-install cPanel and restore from backups. There is no guarantee that you will clear out all possible entry points that the hacker may have already put in place.