Ok, all our accounts were deleted from CPanel so we are manually recreating them. However, our problem is that it keeps saying our Username is taken. It is not listed under List Accounts in WHM but we can see all the accounts under "Edit A DNS Zone" and in a few other places. What file do we have to delete or edit to get rid of the residue of the old usernames?

Were the accounts deleted or did they just show up missing in Cpanel WHM one day. We had the latter happen and running /scripts/upcp brought all of the accounts back.

Just a thought, I apologize if it is not relevent to your situation.

Check

1. /usr/local/apache/conf/httpd.conf - Under the virtual directory section. If the hacker (I presume it's related to the issue mentioned in another thread) just delete the data files, you got quite a lot to clean up.
2. /etc/localdomains
3. /var/named/ - for the DNS zones


Generally, if you are hacked, you should wiped the whole harddisk and reinstall everything. Then you should start recreating the accounts. That will be safer and would solve the problem you mention of the username being taken

/scripts/upcp did not work. I'll try your suggestion sprintseve.

/scripts/upcp does nothing other than to update the control panel software. It doesn't help in this case.

We asked our DC to wipe everything but they did not.

Originally posted by HiyaCorp
We asked our DC to wipe everything but they did not.

Ask them again - if you've been compromised, it's the safest way to go. Unless you really know what to look for, you may overlook something and have the same problem all over again.

If any of ours get compromised, we'd wipe everything clean, re-patch and restore the accounts from a remote source. It's the safest way. That's one of our recovery plans anyway (in a nutshell) - we haven't needed to do any of them yet.

-David

Yes thedavid is so right, don't even think of using the server until it has been re-imaged! Be sure it has been done too, you might have to pay but it has to be done.

It is being done right now. I'm using a completly new hard drive also.

Originally posted by HiyaCorp
It is being done right now. I'm using a completly new hard drive also.

Good - you don't want to put yourself or your customers in the position of being compromised not once, but twice because of the same intrusion. Best of luck to you.

-David

you should also scan your backups to ensure that there's no suspicious files. Sometimes, these guys compromise the machines before hand and they may just leave some backdoor for themselves

Thank you for all your advice

Sorry, wrong thread.