Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM got hacked even I changed the root password

Discussion in 'Security' started by designmania, Jul 31, 2012.

  1. designmania

    designmania Member

    Joined:
    Nov 10, 2011
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

    Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

    I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
     
    #1 designmania, Jul 31, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

    To see if the user has actual root access, check last for that IP:

    Code:
    last | grep IP#
    Please replace IP# with that individual's IP number.
     
    #2 cPanelTristan, Jul 31, 2012
  3. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    306
    Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

    Good luck!!
     
    #3 Arsalan, Aug 1, 2012
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would also change the passwords for the reseller accounts.
     
    #4 PlotHost, Aug 1, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked changed root
  1. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    142
    cPanelMichael
    Mar 15, 2018
  2. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,049
    Jcats
    Jun 23, 2017
  3. Vladimir Šebez

    Possible mysql root password hacked

    Vladimir Šebez, Nov 15, 2016, in forum: Security
    Replies:
    6
    Views:
    943
    cPanelMichael
    Nov 18, 2016
  4. ruzbehraja

    Standard Operating Procedure for dealing with email abuse or hacked email accounts

    ruzbehraja, Aug 23, 2016, in forum: E-mail Discussions
    Replies:
    1
    Views:
    661
    cPanelMichael
    Aug 24, 2016
  5. panicx90

    Your IP address has been changed, please sign in again

    panicx90, Mar 15, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    70
    cPanelMichael
    Mar 15, 2018

Share This Page