The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root password reset: should I be worried?

Discussion in 'Security' started by cycas, Jan 8, 2015.

  1. cycas

    cycas Member

    Joined:
    May 9, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I tried to log into WHM on my cloud account / vm as root, and found my current password had stopped working.

    I contacted my hosting provider, and was told that the root password they had on file currently was not the one I had used the day before. They gave me a root password from their records and I could log in with that.

    I asked them who had reset the password and why, but they said they had no record of it being reset. I asked them to doublecheck, and they told me that it was definitely nobody on their support team that had reset the password.

    So I'm a little worried how the password got reset. My host had a record had a record of the correct password so surely that suggests it wasn't reset by a third party?

    Is this normal? Should I be concerned?

    I've changed the password to a brand-new strong one, but am not quite sure if I can forget it as just one of those things, or if I should be doing anything more.

    Nothing obvious appears to have changed on the server and the websites hosted there seem to be behaving normally.
     
    #1 cycas, Jan 8, 2015
    Last edited: Jan 8, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you sure the root account was not locked out by cPhulk brute force detection? You can review /usr/local/cpanel/logs/login_log to see if you notice any particular error messages during the failed login attempts.

    Thank you.
     
  3. cycas

    cycas Member

    Joined:
    May 9, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I don't think so - my IP address was whitelisted, and is still in the whitelist.

    I just checked /usr/local/cpanel/logs/login_log - thanks for that suggestion - and I can see my attempts to login on that day, which each say:
    FAILED LOGIN whostmgrd: user password incorrect

    None of them mention CpHulk or being locked out, although I can see other attempts to log in from unfamiliar IP addresses at earlier and later dates that have been blocked by CpHulk, so I think if it had been that it would have been in the log.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to consult with a security specialist or qualified system administrator if you want to have your system investigated to see if it was exploited. There's no way for us to tell you for sure if someone accessed your system.

    Thank you.
     
Loading...

Share This Page