The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server's root password changed

Discussion in 'Security' started by James Loh, Aug 15, 2015.

  1. James Loh

    James Loh Registered

    Joined:
    Aug 15, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    cPanel Access Level:
    Root Administrator
    Hi team, i did some research, but i could not find the solution to this.

    For some reason, i could not login to my whm using a root password that i used to login. For my server, only i have access to it so that eliminates the possibility of being changed by another person.

    I wonder anyone can shed a light on 2 questions:
    a) How to change the root password if i have physical access to the server
    b) Does anyone here ever faced the same issue before? Is it due to hacking?
     
  2. lldeepakll

    lldeepakll Well-Known Member

    Joined:
    May 20, 2012
    Messages:
    86
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Just check if you are able to login with the same root password on console/terminal (physical server). If not then you have to reset the root password which requires server reboot. Following url will be helpful for you.

    /http://www.tecmint.com/reset-forgotten-root-password-in-rhel-centos-and-fedora/

    Not sure unless you login and check logs. As It's possible the "root" user is locked out by cPhulk, thus you are unable to login.


    Thanks
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's possible the root account was locked out by cPhulk brute force detection. Ensure your IP address is added to the trusted hosts list if it's enabled on your system.

    Thank you.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    cPhulk should not block root by default, period. It leads to tons of support requests just like this one. I encourage anyone who is mysteriously locked out of root on their cpanel servers to vote for this feature request:

    https://features.cpanel.net/topic/a...ike-root-from-cphulkds-account-based-lockouts

    This has been a known issue for many years and at best it's annoying; at worst it provides an extremely easy way to block someone from getting to root on their WHM system if they have a dynamic IP address (DoS attack risk).
     
    feldon27 likes this.
  5. James Loh

    James Loh Registered

    Joined:
    Aug 15, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    cPanel Access Level:
    Root Administrator
    Hi Michael, thank you for your reply, as we are using dynamic IP address for our internet connection, it is impossible to add an ip to whitelist.

    Hi Depak,
    thank you for your reply. When i restart the server, i manage to login with root using my known password, however, after a while, I am denied accces again.

    I wonder why.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Were you able to check to see if cPHulk is enabled and if your IP address is in the failed logins history?

    Thank you.
     
  7. James Loh

    James Loh Registered

    Joined:
    Aug 15, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    cPanel Access Level:
    Root Administrator
    Hi Michael, I restarted my server again and i have managed to do a few things:

    1. I created reseller account to issue full priviledge to this user so that i can reset root password when needed
    2. I checked cPHulk Brute Force Protection
    n indeed there are alot of tries to login using different username and primarily it is root. Have blacklisted some of the IP addresses shown in the report as well as whitelisted my ip for now.

    3. Due to the fact that the unauthorised login may still persist, i switched on the notification so that whenever unauthorised / failed login occur, i can receive the email notification and blacklist them accordingly. hope it helps for now, will monitor it.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    cphulk is fundamentally broken as evidenced by this thread. People are frequently left to assume their server is hacked and/or that their root password was changed. Again I urge people to vote for the feature request linked above, as locking out root should NEVER happen unless someone specifically configures it that way -after- whitelisting themselves. Blocking root by default during distributed attacks causes far more harm than good, locking legitimate admins and support out of servers on a regular basis.
     
    feldon27 likes this.
  10. James Loh

    James Loh Registered

    Joined:
    Aug 15, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    cPanel Access Level:
    Root Administrator
    Hi Michael, thank you for your support.

    However, i do agree with quizknows regarding the lock-out for root. I have done the 'I like this idea' at the link request he posted.

    Right now, i am manually blacklisting all the unknown ip addresses (about 20 so far in the morning).
     
  11. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi this has happen to me. I'm using Fedora some one was brute forcing my WHM on Sunday all day and night now I can't access WHM with my root password i've looked online for the code to put in console because it does let me log into that but i'm a newbie when it comes to linux i've always hear good things about linux but this is really annoying my website has been offline for a week, Some one does'nt want me online by the looks of it. Can anyone help me with the console and what to type to reset cphulk? thanks
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  13. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Ok that worked I just put it to stop now I have got into WHM and added my ip to the white list i noticed someone is trying a IP that is 0.0.0.0.0.0.0.0. lol not sure what that means maybe its another hack, Someone sym linked my public html directory to got in to the database and removed member table i haven't a clue how they are doing it i removed the sym links but it keeps happening.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is there any traffic identified as 0.0.0.0 aimed at the server? You may want to install tcpdump and run the following command to see if that's the case:

    Code:
    tcpdump -nnvv host 0.0.0.0
    If you see data, check for the Client-Ethernet-Address from the output and determine if it's from your own server:

    Code:
    ifconfig|grep [Client-Ethernet-Address-Here]
    Thank you.
     
  15. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Thanks for the help It was cphulk it had blacklisted my own ip for some reason the 0.0.0 was my server.
     
  16. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I experienced exactly this when I first got my server.
    I'm 99% confident when I say that the issue is probably caused by someone trying to hack in to your server, and CPHulk is blocking root access.

    The very first things I would suggest would be to add a range of IP's to your Host Access Control file.
    My ISP also issuers dynamic IP's, but these tend to be in a very narrow band.

    say 192.168.x.x and 192.169.x.x,

    so I added 192.168.0.0/255.255.0.0 Allow
    and 192.169.0.0/255.255.0.0 Allow
    to Host Access control.

    The next thing I would do would be to Install CSF firewall.
     
    pablo777 likes this.
  17. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hello all This problem has happen again i'm locked out of root via WHM now I still have access to console root login but I tried to see the logs in cphulkd and it said access denied? It was ok yesterday I not had any problems for over a week now but something must of happen lastnight or in the early hours of today?
     
  18. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi I checked the mysql and cphulk tables for ip login time and login type it said both tables are empty? I've also sent a email to support for my vps I'm considering reinstalling the system but that means i will lose all my website date dosen't it?
     
  19. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi I managed to gain access I will tell you what I did. I reset my router and changed the wireless password for it then cleared my browser history and cache this seemed to have fixed the problem and I was able to login to WHM again whoo hoo. :) I hope this helps others in the future if they have a similar problem.
     
  20. pablo777

    pablo777 Member

    Joined:
    Sep 8, 2015
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator

    Hi the server is not running on y own network its a private VPS how do i go about setting my own IP? because my IP changes daily or when I reset my router? today my WHM locked me out because I was using an old IP? Also I about to install what you said I'm a complete newbie to Servers and the support for the VPS is crap because its unmanaged so I have to learn it all or get valuable advice of people like you. thanks for the reply anyway and hoping to discuss further with you. :)
     
Loading...

Share This Page