I am having an issue. I am locked out of my WHM and cannot access it by SSH. I have been getting several emails stating failed login attempts (10-15 a day) from China mostly. I'm not sure if I have been hacked or not. I dont know if it was cPHulk or not. I have recently disabled CSF (2 days ago) and have been in WHM several times since. What are my options? I have many clients hosting on this system and I dont have any backups because I was recently moving to another backup option from my datacenter.
Please help. Only God knows what is happening to my system at this moment.
Thank you in advance.
DJ
I am using the latest version of WHM and Centos 6.
I am using a dedicated server with OVH and I am in recovery mode at the moment. I can see Centos files but nothing else. I cannot run any cpanel commands in SSH but can run other basic commands. Any help would be greatly appreciated.
- - - Updated - - -
Yes, it's possible for cPHulk to prevent users from authenticating. There is setting for this in "WHM Home » Security Center » cPHulk Brute Force Protection":
"Maximum Failures By Account"
You can wait for the lockout time period to end, or consult with your data center/hosting provider to have them disable cPHulk with console access via the following commands:
Code:
for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Thank you.
I am on the phone with them again. The first go around with them wasn't very productive. They don't seem to want to do this.
I have fixed the problem so now I am going to post what I did to help others. I worked on it for nearly 10 hours.
I use OVH for my server and although they have good products, they provide zero (0) support for it.
Here is some documentation that helped me (If you use OVH):
(You must follow this word for word and dont skip a step)
When you are done your command will look like this:
When it does, run this (Taken from Michaels post above):
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Change your password:
Put your "Netboot" back to "Hard Drive" then restart.
This was all from me setting cpHulk to be too aggressive and clearing my browser cache. I hope that this will help someone else in the future.