Server's root password changed

[James Loh]

Hi team, i did some research, but i could not find the solution to this.

For some reason, i could not login to my whm using a root password that i used to login. For my server, only i have access to it so that eliminates the possibility of being changed by another person.

I wonder anyone can shed a light on 2 questions:
a) How to change the root password if i have physical access to the server
b) Does anyone here ever faced the same issue before? Is it due to hacking?

 

[lldeepakll]

a) How to change the root password if i have physical access to the server

Just check if you are able to login with the same root password on console/terminal (physical server). If not then you have to reset the root password which requires server reboot. Following url will be helpful for you.

/http://www.tecmint.com/reset-forgotten-root-password-in-rhel-centos-and-fedora/

b) Does anyone here ever faced the same issue before? Is it due to hacking?

Not sure unless you login and check logs. As It's possible the "root" user is locked out by cPhulk, thus you are unable to login.


Thanks

 

[cPanelMichael]

Hello

It's possible the root account was locked out by cPhulk brute force detection. Ensure your IP address is added to the trusted hosts list if it's enabled on your system.

Thank you.

 

[quizknows]

cPhulk should not block root by default, period. It leads to tons of support requests just like this one. I encourage anyone who is mysteriously locked out of root on their cpanel servers to vote for this feature request:

https://features.cpanel.net/topic/a...ike-root-from-cphulkds-account-based-lockouts

This has been a known issue for many years and at best it's annoying; at worst it provides an extremely easy way to block someone from getting to root on their WHM system if they have a dynamic IP address (DoS attack risk).

 

[James Loh]

Hi Michael, thank you for your reply, as we are using dynamic IP address for our internet connection, it is impossible to add an ip to whitelist.

Hi Depak,
thank you for your reply. When i restart the server, i manage to login with root using my known password, however, after a while, I am denied accces again.

I wonder why.

 

[cPanelMichael]

thank you for your reply. When i restart the server, i manage to login with root using my known password, however, after a while, I am denied accces again.

I wonder why.

Were you able to check to see if cPHulk is enabled and if your IP address is in the failed logins history?

Thank you.

 

[James Loh]

Hi Michael, I restarted my server again and i have managed to do a few things:

1. I created reseller account to issue full priviledge to this user so that i can reset root password when needed
2. I checked cPHulk Brute Force Protection
n indeed there are alot of tries to login using different username and primarily it is root. Have blacklisted some of the IP addresses shown in the report as well as whitelisted my ip for now.

3. Due to the fact that the unauthorised login may still persist, i switched on the notification so that whenever unauthorised / failed login occur, i can receive the email notification and blacklist them accordingly. hope it helps for now, will monitor it.

 

[cPanelMichael]

I'm happy to see you were able to find a good course of action. Feel free to let us know if any additional issues continue.

Thank you.

 

[quizknows]

cphulk is fundamentally broken as evidenced by this thread. People are frequently left to assume their server is hacked and/or that their root password was changed. Again I urge people to vote for the feature request linked above, as locking out root should NEVER happen unless someone specifically configures it that way -after- whitelisting themselves. Blocking root by default during distributed attacks causes far more harm than good, locking legitimate admins and support out of servers on a regular basis.

 

[James Loh]

Hi Michael, thank you for your support.

However, i do agree with quizknows regarding the lock-out for root. I have done the 'I like this idea' at the link request he posted.

Right now, i am manually blacklisting all the unknown ip addresses (about 20 so far in the morning).

 

[pablo777]

Hi this has happen to me. I'm using Fedora some one was brute forcing my WHM on Sunday all day and night now I can't access WHM with my root password i've looked online for the code to put in console because it does let me log into that but i'm a newbie when it comes to linux i've always hear good things about linux but this is really annoying my website has been offline for a week, Some one does'nt want me online by the looks of it. Can anyone help me with the console and what to type to reset cphulk? thanks

 

[Infopro]

The documentation should be of some use:
cPHulk Management on the Command Line - cPanel Documentation

 

[pablo777]

Ok that worked I just put it to stop now I have got into WHM and added my ip to the white list i noticed someone is trying a IP that is 0.0.0.0.0.0.0.0. lol not sure what that means maybe its another hack, Someone sym linked my public html directory to got in to the database and removed member table i haven't a clue how they are doing it i removed the sym links but it keeps happening.

 

[cPanelMichael]

Ok that worked I just put it to stop now I have got into WHM and added my ip to the white list i noticed someone is trying a IP that is 0.0.0.0.0.0.0.0

Is there any traffic identified as 0.0.0.0 aimed at the server? You may want to install tcpdump and run the following command to see if that's the case:

tcpdump -nnvv host 0.0.0.0

If you see data, check for the Client-Ethernet-Address from the output and determine if it's from your own server:

ifconfig|grep [Client-Ethernet-Address-Here]

Thank you.

 

[pablo777]

Is there any traffic identified as 0.0.0.0 aimed at the server? You may want to install tcpdump and run the following command to see if that's the case:

tcpdump -nnvv host 0.0.0.0

If you see data, check for the Client-Ethernet-Address from the output and determine if it's from your own server:

ifconfig|grep [Client-Ethernet-Address-Here]

Thank you.

Thanks for the help It was cphulk it had blacklisted my own ip for some reason the 0.0.0 was my server.

 

[keat63]

I experienced exactly this when I first got my server.
I'm 99% confident when I say that the issue is probably caused by someone trying to hack in to your server, and CPHulk is blocking root access.

The very first things I would suggest would be to add a range of IP's to your Host Access Control file.
My ISP also issuers dynamic IP's, but these tend to be in a very narrow band.

say 192.168.x.x and 192.169.x.x,

so I added 192.168.0.0/255.255.0.0 Allow
and 192.169.0.0/255.255.0.0 Allow
to Host Access control.

The next thing I would do would be to Install CSF firewall.

 

[pablo777]

Hello all This problem has happen again i'm locked out of root via WHM now I still have access to console root login but I tried to see the logs in cphulkd and it said access denied? It was ok yesterday I not had any problems for over a week now but something must of happen lastnight or in the early hours of today?

 

[pablo777]

Hi I checked the mysql and cphulk tables for ip login time and login type it said both tables are empty? I've also sent a email to support for my vps I'm considering reinstalling the system but that means i will lose all my website date dosen't it?

 

[pablo777]

Hi I managed to gain access I will tell you what I did. I reset my router and changed the wireless password for it then cleared my browser history and cache this seemed to have fixed the problem and I was able to login to WHM again whoo hoo. I hope this helps others in the future if they have a similar problem.

 

[pablo777]

I experienced exactly this when I first got my server.
I'm 99% confident when I say that the issue is probably caused by someone trying to hack in to yipour server, and CPHulk is blocking root access.

The very first things I would suggest would be to add a range of IP's to your Host Access Control file.
My ISP also issuers dynamic IP's, but these tend to be in a very narrow band.

say 192.168.x.x and 192.169.x.x,

so I added 192.168.0.0/255.255.0.0 Allow
and 192.169.0.0/255.255.0.0 Allow
to Host Access control.

The next thing I would do would be to Install CSF firewall.

Hi the server is not running on y own network its a private VPS how do i go about setting my own IP? because my IP changes daily or when I reset my router? today my WHM locked me out because I was using an old IP? Also I about to install what you said I'm a complete newbie to Servers and the support for the VPS is crap because its unmanaged so I have to learn it all or get valuable advice of people like you. thanks for the reply anyway and hoping to discuss further with you.