WHM got hacked even I changed the root password

[designmania]

Hi,

Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help.

 

[cPanelTristan]

Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

To see if the user has actual root access, check last for that IP:

last | grep IP#

Please replace IP# with that individual's IP number.

 

[Arsalan]

Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

Good luck!!

 

[PlotHost]

I would also change the passwords for the reseller accounts.