How to track down hacker IP

Hi,
One of my VPS servers was hacked.
This person was able to:
access my main cPanel account
change my contact email to a Yahoo email
change my server contact email to same Yahoo email
create a new account owned by root user with another Yahoo email address

I'm running WHM 10.8.0 cPanel 10.9.0-S80
Fedora i686 - WHM X v3.1.0

Have since changed my root password and the email addresses back, and deleted the new account.

Asked my VPS provider if they could have a look around, and also track down the IP so we can block it.

Amazingly, they said they cannot find the IP this person used.

I am no expert in such matters, but find this a little difficult to swallow.
Can anyone here help or know how?

Lastly, any cPanel exploit know that let's this happen?
Only thing I can think of is my password was 10 characters, and seem to remember cPanel had a problem with anything over 8?

Appreciate any help.

- Vince

 

I am not capable to dig and identify which IP created the hacker account, that's why I asked my VPS provider.

Thanks for reply,

- Vince

 

jayh38,
Thanks for your reply.
Just to help me understand what you are suggesting, will the loading of a 'fresh template' affect existing data/accounts, so a bfull vps backup should be done beforehand?

If you don't mind explaining, what exactly does this do?

I was once told that a full backup was needed, and VPS rebuilt, then restore all the accounts. But surely, if the hacker has compromised and left scripts within any of the accounts, they would get in again and all was to no avail.

Am I missing something?

Many thanks,

- Vince

P.S. I forgot to mention that during the compromise the VPS was still using version 2.4.x kernel, but coincidently I was migrated to a VPS with 2.6.9-023stab033.9-enterprise just a few hours after. I believe this is a more secure kernel, and maybe due to migration I already have a 'fresh template' now anyway?