Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM got hacked even I changed the root password

Discussion in 'Security' started by designmania, Jul 31, 2012.

  1. designmania

    designmania Member

    Joined:
    Nov 10, 2011
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

    Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

    I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
     
    #1 designmania, Jul 31, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    33
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

    To see if the user has actual root access, check last for that IP:

    Code:
    last | grep IP#
    Please replace IP# with that individual's IP number.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Jul 31, 2012
  3. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    306
    Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

    Good luck!!
     
    #3 Arsalan, Aug 1, 2012
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would also change the passwords for the reseller accounts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 PlotHost, Aug 1, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked changed root
  1. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    1,249
    cPanelMichael
    Mar 15, 2018
  2. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,736
    Jcats
    Jun 23, 2017
  3. JurgenS

    Version changed from alt-php to EA-php?

    JurgenS, Jan 10, 2019, in forum: EasyApache
    Replies:
    2
    Views:
    175
    rpvw
    Jan 10, 2019
  4. Wabun

    Downgrade cPanel v74 to any version where no API is changed

    Wabun, Nov 7, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    322
    cPanelLauren
    Dec 10, 2018
  5. APatchworkBoy

    Changed MySQL root pw, Service Status: down (but it isn't)

    APatchworkBoy, Oct 25, 2018, in forum: Database Discussion
    Replies:
    6
    Views:
    207
    cPanelLauren
    Oct 26, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice