Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WHM got hacked even I changed the root password

Discussion in 'Security' started by designmania, Jul 31, 2012.

  1. designmania

    designmania Member

    Joined:
    Nov 10, 2011
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

    Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

    I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
     
    #1 designmania, Jul 31, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,606
    Likes Received:
    33
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

    To see if the user has actual root access, check last for that IP:

    Code:
    last | grep IP#
    Please replace IP# with that individual's IP number.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Jul 31, 2012
  3. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    306
    Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

    Good luck!!
     
    #3 Arsalan, Aug 1, 2012
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    258
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would also change the passwords for the reseller accounts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 PlotHost, Aug 1, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - hacked changed root
  1. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    1,770
    cPanelMichael
    Mar 15, 2018
  2. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,919
    Jcats
    Jun 23, 2017
  3. Ramon Pego

    SOLVED Changed default root directory SSL points to old location

    Ramon Pego, May 17, 2019, in forum: Security
    Replies:
    2
    Views:
    111
    Ramon Pego
    May 17, 2019
  4. ebizindia

    Alert on forwarders' changed

    ebizindia, Mar 26, 2019, in forum: E-mail Discussion
    Replies:
    1
    Views:
    377
    cPanelMichael
    Mar 27, 2019
  5. magj

    Licensed change to trial when I changed my primary IP address

    magj, Mar 16, 2019, in forum: General Discussion
    Replies:
    4
    Views:
    508
    cPanelLauren
    Apr 4, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice