Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM got hacked even I changed the root password

Discussion in 'Security' started by designmania, Jul 31, 2012.

  1. designmania

    designmania Member

    Joined:
    Nov 10, 2011
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

    Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

    I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
     
    #1 designmania, Jul 31, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

    To see if the user has actual root access, check last for that IP:

    Code:
    last | grep IP#
    Please replace IP# with that individual's IP number.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Jul 31, 2012
  3. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    306
    Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

    Good luck!!
     
    #3 Arsalan, Aug 1, 2012
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    68
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would also change the passwords for the reseller accounts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 PlotHost, Aug 1, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked changed root
  1. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    662
    cPanelMichael
    Mar 15, 2018
  2. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,479
    Jcats
    Jun 23, 2017
  3. Vladimir Šebez

    Possible mysql root password hacked

    Vladimir Šebez, Nov 15, 2016, in forum: Security
    Replies:
    6
    Views:
    1,162
    cPanelMichael
    Nov 18, 2016
  4. Garrettj94

    WordPress Site - File Randomly Changed

    Garrettj94, Oct 4, 2018, in forum: Security
    Replies:
    3
    Views:
    98
    cPanelLauren
    Oct 8, 2018
  5. YanoLoL

    Hostname changed and cannot read license file

    YanoLoL, Sep 17, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    114
    cPanelLauren
    Sep 18, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice