var sidebar_align = 'right';
var content_container_margin = parseInt('350px');
var sidebar_width = parseInt('330px');
Somebody or script is changing my cPanel passwords?
Today my root password was changed and a couple of my clients had their cPanel password changed also.
Was I hacked or is this something else? Maybe a bug in cPanel?
How do I check for who accessed and from what IP to WHM?
Check /var/log/secure for last ssh access. Also check crons and cron logs.
These are the only ones I found related to root:
Oct 16 12:24:29 server1 Cp-Wrap: Pushing "1296 ADDUSER root XXXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 1296
Oct 16 12:24:29 server1 Cp-Wrap: Pushing "1296 LISTPRIVS root localhost mybase " to '/usr/local/cpanel/bin/mysqladmin' for UID: 1296
change your root password and keep watching the log.
Check if the anyone/attacker had logged into WHM using the root password.
Also check the bash history file of the root user and see if there are any suspicious commands executed, if so you need to take the machine offline and build from scratch.
grep root /usr/local/cpanel/logs/access_log
Checking the access log now, it's over 150MB.
cat/root/.bash_history shows nothing suspicious
By jmaskell in forum Dedicated Server
Last Post: 07-25-2008, 09:44 AM
By cassini_rings in forum Programming Discussion
Last Post: 05-06-2005, 05:49 AM
By El Nino in forum Hosting Software and Control Panels
Last Post: 01-09-2004, 05:16 PM
By shavik in forum Hosting Security and Technology
Last Post: 05-01-2003, 08:48 AM
By Tina J in forum Web Hosting
Last Post: 05-26-2001, 06:56 AM