WHM got hacked even I changed the root password

designmania

Member
Nov 10, 2011
12
0
51
cPanel Access Level
Root Administrator
Hi,

Some of my clients' websites got hacked recently. I am sure that I have removed all of the infected files. I use maldet to find the infected file and also blocked some suspicious IPs. However, the hacker still have the ability to create Cpanel accounts by using different reseller accounts under my WHM.

Does anyone know how to find out where's the security leak of my Cpanel/WHM that allows the hacker to login or to find out any script that the hacker has installed to my server?

I have changed my root password many times, but I still cannot get rid of that sucker. Please help. Thank you very much for your help. :(
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Have you checked the /usr/local/cpanel/logs/access_log for the IP of the individual? After you have that IP, check /var/log/secure as well as /var/log/messages, /usr/local/apache/logs/* and /usr/local/apache/domlogs/* for any entries by the same IP.

To see if the user has actual root access, check last for that IP:

Code:
last | grep IP#
Please replace IP# with that individual's IP number.
 

Arsalan

Well-Known Member
Jan 5, 2002
51
0
306
Also change your Remote Access Key (WHM > Cluster/Remote Access > Setup Remote Access Key)

Good luck!!