Somebody or script is changing my cPanel passwords?

Portal Home > Knowledgebase > Articles Database > Somebody or script is changing my cPanel passwords?

Posted by chasebug, 10-18-2009, 03:08 AM
Today my root password was changed and a couple of my clients had their cPanel password changed also. Was I hacked or is this something else? Maybe a bug in cPanel? How do I check for who accessed and from what IP to WHM?
Posted by Syslint, 10-18-2009, 03:14 AM
Check /var/log/secure for last ssh access. Also check crons and cron logs.
Posted by chasebug, 10-18-2009, 04:04 AM
These are the only ones I found related to root: Oct 16 12:24:29 server1 Cp-Wrap[14267]: Pushing "1296 ADDUSER root XXXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 1296 Oct 16 12:24:29 server1 Cp-Wrap[14269]: Pushing "1296 LISTPRIVS root localhost mybase " to '/usr/local/cpanel/bin/mysqladmin' for UID: 1296
Posted by boxer, 10-18-2009, 06:27 AM
change your root password and keep watching the log.
Posted by eth1, 10-18-2009, 07:46 AM
Check if the anyone/attacker had logged into WHM using the root password. Also check the bash history file of the root user and see if there are any suspicious commands executed, if so you need to take the machine offline and build from scratch.
Posted by chasebug, 10-18-2009, 09:43 AM
Checking the access log now, it's over 150MB. cat/root/.bash_history shows nothing suspicious