if the box is compromised, nothing stops someone from restoring accounts on a machine and brute forcing the password locally on that machine since cPanel users are just standard Unix users.
This would work, but even more efficient would be for an attacker to just:
1. extract the users' password hashes from the backup files
2. run them through a password cracker
What I might do to prevent this from being an issue is to, somehow, make sure that the hashed password information in the backups does not match the hashed password information on the live server (that is, the server where the accounts are currently being used).
There are a few options:
A. Use a different backup solution than the one provided by cPanel, one which will not store the password hashes of the accounts.
B. Look into altering the cPanel backup routine so that it does not use ftpwrap to dump the users' hashes (I'm not 100% sure this is how it's done, but sounds probable). Note that if a user's cPanel backup file does not contain their password hash, then I'm guessing that doing a restore of that account from within cPanel/WHM would not be possible, since it would not have the necessary information needed to update the password file of the OS.
C. Find a way to change the password hash after it has been obtained, but before the backup has been FTP'd (hopefully you are using TLS or something similar for this) over to the VPS.
D. Edit the users' password hashes in their cPanel backups after the backup has been transferred over to the VPS. This is probably the worst of the ideas since the actual hash of the user's current password will exist on the VPS, even if for a short time.
Ideally I think the best option would be to, somehow, use a dummy passwd file for the backups, one which will not be interfered with by the cPanel backup process.
Alternately, if the accounts belong to you only, as long as you are using very strong passwords, then even if the hashes are obtained, theoretically the actual passwords should not be able to be recovered in a reasonable amount of time.
Another thing to consider is this: how many users use their cPanel password for their MySQL connections strings in their php files (e.g., for WordPress, etc)? Even if an attacker is unable to directly obtain the a user's OS password (cPanel password), they might be able to find it in another file in the backup.
It would be interesting to hear some ideas from others on this as well. I personally don't see the need to store a user's password hash on a server other than the one that the account is currently being used on. I understand that this is done so that if an account is restored from a backup that the password will be the same, but a user's password can always be changed by the admin from within WHM. Just my 2 cents.
