I am seeing a strange contact email address for a cPanel account after it was cleaned of malware due to an exploit in a script on my website.
If one of your cPanel users had a vulnerability in their website's script that lead to strange files being created under the account it is possible that additional malware is preset. This can lead to strange behaviors such as additional files being uploaded or potentially the cPanel user's contact email address being updated.
We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-40034. Follow this article to receive an email notification when a solution is published in the product.
Update the cPanel contact email address for the account. Then enable Two Factor Authentication for your cPanel accounts will help prevent any unauthorized logins to the user's cPanel interface. The following article shows the procedure for enabling 2FA.
How to enable Two Factor Authentication (2FA) for cPanel users
For further information on how to handle an account compromise we have an in depth collection of articles you can find here:
What can be done if a cPanel account is compromised?