The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM got hacked even I changed the root password

Discussion in 'Security' started by designmania, Jul 31, 2012.

  1. designmania

    designmania Member

    Joined:
    Nov 10, 2011
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

    Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

    I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
     
    #1 designmania, Jul 31, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    24
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

    To see if the user has actual root access, check last for that IP:

    Code:
    last | grep IP#
    Please replace IP# with that individual's IP number.
     
    #2 cPanelTristan, Jul 31, 2012
  3. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    306
    Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

    Good luck!!
     
    #3 Arsalan, Aug 1, 2012
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    254
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would also change the passwords for the reseller accounts.
     
    #4 PlotHost, Aug 1, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked changed root
  1. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    163
    Jcats
    Jun 23, 2017 at 1:40 PM
  2. Vladimir Šebez

    Possible mysql root password hacked

    Vladimir Šebez, Nov 15, 2016, in forum: Security
    Replies:
    6
    Views:
    442
    cPanelMichael
    Nov 18, 2016
  3. ruzbehraja

    Standard Operating Procedure for dealing with email abuse or hacked email accounts

    ruzbehraja, Aug 23, 2016, in forum: E-mail Discussions
    Replies:
    1
    Views:
    347
    cPanelMichael
    Aug 24, 2016
  4. Svemir

    Cpanel Account Hacked

    Svemir, Feb 15, 2016, in forum: Security
    Replies:
    3
    Views:
    1,140
    cPanelMichael
    Feb 18, 2016
  5. LaxSlash1993

    Hacked by another mail server?

    LaxSlash1993, Oct 14, 2015, in forum: Security
    Replies:
    5
    Views:
    598
    keat63
    Nov 2, 2015

Share This Page