My WHM/cpanel account hacked? No access to root

[Kookidooki]

Hello guys at WHM / cpanel.
I'm devasted and need urgent help!

I guess someone got access to my server and WHM/cpanel account.
By coincidence I've found out that I don't have access anymore to the root.
There's also no link to reset the password. Looks like someone hacked my root and changed the password.

Cpanel/ WHM could you please check and reset the password?

Thank You!

 

[andrew.n]

If the root password has been changed and you didn't setup your SSH key to login to the server then you need to reset it manually. If this is a VPS this is usually possible in their control panel. If this is a dedicated server then it needs to be done manually by booting the server into single user mode. In that case I suggest hiring a Certified cPanel Professional from System Administration Services to get this done for you as it's not that straight forward process.

 

[cPRex]

In addition to the details that @andrew.n provided, once you do have access to the machine you should get your data migrated to a server that has not been compromised as there is no way to fully clean a system that has been root compromised.

 

[Kookidooki]

This problem never happened before. The last time I got access to my WHM/cpanel was 2 wks ago..

Did cpanel / WHM do some updates last 2 wks?

 

[andrew.n]

cPanel/WHM updates shouldn't cause this. It is possible that somehow the firewall on the server or cpHulk might blocked you...give it a try from another computer or mobile to see if you can connect.

 

[shahidi]

This problem never happened before. The last time I got access to my WHM/cpanel was 2 wks ago..

Did cpanel / WHM do some updates last 2 wks?

I had the same issue with multiple servers and VPS from 17Feb.
I think something wrong happened in cPanel but I am not sure.

 

[andrew.n]

how did you resolve the issue?

 

[cPRex]

@shahidi - can you describe the issue you're experiencing in more detail?

 

[shahidi]

I lost my root password and with the rescue I discovered them.
I did lots of scans on the servers and there were r4.html on all accounts with the owner of root:root.
lots of phishing and logins directly to cpanel from different IPs.

 

[andrew.n]

uh...looks like your server got compromised after all...I'm sad to hear that

 

[PeterN123]

I lost my root password and with the rescue I discovered them.
I did lots of scans on the servers and there were r4.html on all accounts with the owner of root:root.
lots of phishing and logins directly to cpanel from different IPs.

Hi Shadidi,

Sorry to bump an old thread, did you allow users to have SSH access? Can it be that your users account got compromised first?