What is the difference between a root level compromise and a website or account level compromise?
A root-level compromised / hacked server is one where unauthorized access has been gained to an administrator-level account. That would be any account that has access to use the sudo command or any user that has a UID of 0 (which includes the root administrator user by default).
If a server has been root compromised it is impossible to clean or fix that server. The only solution is to migrate to a newly installed server that is not compromised. Please review our documentation that goes into more detail about this:
A website or account level compromise / hack is one where access has been gained to the cPanel user. This would allow the attacker to access the files, databases, emails, and website files of the account. This kind of compromise is limited to that account and cannot spread to other cPanel accounts. This kind of compromise is not able to gain administrative access to the rest of the server.
You can learn more about your next steps in this situation here: