I have a strong suspicion one of my servers has been compromised. I just received an email message from WHM/CPanel telling me that a new user account was created. Below are the details of the account ////////////// +===================================+ | New Account Info | +===================================+ | Domain: x1x6.com | Ip: ************ (n) | HasCgi: y | UserName: x1x6com | PassWord: ***HIDDEN*** | CpanelMod: x | HomeRoot: /home | Quota: 0 Meg | Contact Email: firstname.lastname@example.org | Package: default | Feature List: default | Language: english +===================================+ Account was setup by: root (root) ////////////// I did not create this account and it appears it was setup by "root". However when I login via SSH, the last logged in IP was mine and I do not see any other users logged in. Moreover, I have a script that alerts me on root logins to the server via SSH (which is also on a non-standard port). I have combed through the CPanel access logs and it appears he was somehow able to gain access to WHM/CPanel via http (not https) port 2086 and was using an unused IP address available on the server. Any ideas how I can dig deeper into this? (considering he still doesnt have SSH access). I have already banned the IP address via CSF though I'm curious how he managed to gain access to the server via WHM by escalating his account.