What can be done if a cPanel account is compromised?
The best course of action to recover from a compromised account is to restore from a backup, change all passwords on the account, revoke any ssh keys, and enable Two Factor authentication. You can read more about how to do these tasks here:
Two Factor Auth:
Revoke SSH Keys:
If you would like to find information about how the account was compromised or what kind of malware might be on an account, you must reach out to a security specialist that has the skills, training, and expertise required to perform an investigation.
If you would like to take steps to help mitigate this kind of issue in the future, you may be interested in reviewing the following resources: