WHM and Cpanel is giving 500 internal server error as someone hacked

Operating System & Version
ubuntu

sadek321

Registered
Jun 27, 2021
1
0
0
bd
cPanel Access Level
Reseller Owner
Hi all, recently I got hacked by someone, though all my websites are in subdomain and working, but i am not being able to edit, delete update any plugin and mostly i cannot login to whm or cpanel at all..

I am getting this error



cpsrvd Server at server2.se
Code:
Internal Server Error
500

Error ID 6fb4b5923991
cpsrvd Server at mystie.test
When I try to see the log using `tail -f /usr/local/cpanel/logs/error_log`, I see this




Code:
eval {...} called at /usr/local/cpanel/Cpanel/SafeFile.pm line 208
    Cpanel::SafeFile::safesysopen(undef, "/var/cpanel/sessions/temp_Cpanel::Mysql_.json", 66, 384) called at /usr/local/cpanel/Cpanel/SafeFile.pm line 123
    Cpanel::SafeFile::safesysopen_no_warn_on_fail(undef, "/var/cpanel/sessions/temp_Cpanel::Mysql_.json", 66, 384) called at /usr/local/cpanel/Cpanel/Transaction/File/Base.pm line 128
    Cpanel::Transaction::File::Base::new("Cpanel::Transaction::File::JSON", "path", "/var/cpanel/sessions/temp_Cpanel::Mysql_.json", "permissions", 384) called at bin/cpses_tool.pl line 210
    bin::cpses_tool::__ANON__() called at /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/Tiny.pm line 100
    eval {...} called at /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/Tiny.pm line 91
    Try::Tiny::try(CODE(0x1b25190), Try::Tiny::Catch=REF(0x1b8df68)) called at bin/cpses_tool.pl line 214
    bin::cpses_tool::action_CLEANUPSESSIONS("bin::cpses_tool", HASH(0x1b24e00)) called at bin/cpses_tool.pl line 76
    bin::cpses_tool::process_request(HASH(0x1b24e00)) called at bin/cpses_tool.pl line 61
    bin::cpses_tool::script("bin::cpses_tool") called at bin/cpses_tool.pl line 34

Anyone can help please?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,562
2,611
363
cPanel Access Level
Root Administrator
Hey there! I'm sorry to hear about the server compromise. Are you not able to log in to WHM due to a password problem, or because you get an error on the screen? If it is due to an error, it might be best to restore the backups to a new server, as there is never a way to guarantee a compromised server has been cleaned.

If you have your backups stored on a separate drive, or at an offsite location, that would be the most ideal situation.