spear1976

Member
Jun 23, 2014
7
0
1
cPanel Access Level
Reseller Owner
Hi,

I think my site got hacked. I'm not sure how, but this is what has happened:

When i login through the WHN site with regular user/password, i get "invalid login".
I have logged into my root account on SSH (which works), and tried running
" /usr/local/cpanel/scripts/realchpass root MYPASS", but then get the following message:

Code:
File hosts.deny not changed so no update needed
[email protected] [/etc]#  /usr/local/cpanel/scripts/realchpass root ************
warn [realchpass] Insecure passing of password on ARGV.
ERROR: /usr/local/cpanel/scripts/realchpass
Invocation changes only the system
password and does not have any effect
on other services associated with your
cPanel account, including FTP, SSH,
WebDAV, and FrontPage.  It is strongly
encouraged for you to change the
password via the WHM & cPanel
interface. You can force a password
change through this script by setting
the environment variable
'ALLOW_PASSWORD_CHANGE=1'.
I hade 32 attemts to login this night, all from China, but they are still trying for some reason. My syste was pretty thight after definition of the security advisor, so i'm not sure what has happened.

How can i restore access? Am i doing something wrong from Commandline? Or is there another way in apart from reinstall of system?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

Are you sure that authentication has not been blocked by cPhulk brute force detection? Are you able to access Web Host Manager as "root" to see if it's enabled?

Thank you.
 

spear1976

Member
Jun 23, 2014
7
0
1
cPanel Access Level
Reseller Owner
Hi again,

This is what my cPanel WHM error logs says:

Code:
Duplicate logaccess:  at cpsrvd-ssl line 3561
        cpanel::cpsrvd::logaccess() called at cpsrvd-ssl line 3142
        cpanel::cpsrvd::badpass(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, 1, __CPANEL_HIDDEN__, 1, __CPANEL_HIDDEN__, 1) called at cpsrvd-ssl line 6377
        cpanel::cpsrvd::docheckpass_whostmgrd(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, undef, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, ...) called at cpsrvd-ssl line 5571
        cpanel::cpsrvd::handle_form_login() called at cpsrvd-ssl line 1287
        cpanel::cpsrvd::handle_one_connection() called at cpsrvd-ssl line 1149
        cpanel::cpsrvd::script() called at cpsrvd-ssl line 435
 

spear1976

Member
Jun 23, 2014
7
0
1
cPanel Access Level
Reseller Owner
Hi,

(emabarrasing)
After running cpup, and changing root password i got in.
However the root change did not work before the manual cpup.
Hopefully someone can tell me more about the error log from cpup posted earlier.

(Poor moderator, sorry for my many posts)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
The output you provided can happen when you attempt to access cPanel with invalid login credentials. Internal case number 97525 is open to address that issue, but it's not the cause of the failed login itself.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If you need to change the root password from command line you should probably use the passwd utility, not the cpanel "realchpass" function.

Also, you (or a mod) should munge the password in your first post ;)