whm/cpanel password change

support@nilima

• June 10, 2022 01:08

We are facing frequent cpanel/WHM password changes for most of the accounts on the server, is there any vulnerability? is there any security patch available?

• 

  cPRex Jurassic Moderator

  • June 10, 2022 14:35

  Hey there! Can you get me more details about what you're seeing? Are users being prompted to change passwords, or are the passwords being reset without their knowledge?

  0
• 

  support@nilima

  • June 13, 2022 03:33

  Hello, users are not being prompted to change passwords, but the passwords are being reset without their knowledge and after resetting to the default working fine. and this happens to all servers .... how to check which files are exactly being compromised for this password change for all accounts. Thank you ,

  0
• 

  cPRex Jurassic Moderator

  • June 13, 2022 14:13

  I'm afraid I don't have a good explanation for this problem, especially if the issue is happening on multiple servers. I suppose it is always possible that a certain user infected multiple systems, but it would be best to submit a ticket to our team so we could review at least one of the affected machines and see if there are any obvious issues.

  0
• 

  support@nilima

  • June 14, 2022 10:17

  Hello, Ok, thank you for the update.

  0
• 

  Hatrix Hoster

  • October 07, 2025 05:15

  cPRex Hi team,

  I have also faced the similar problem in the past, and got to know that API token with something called as "reverse_trust_"  as a prefix is being created causing the mass change of all cpanel account password automatically without any user/admin knowledge..

  That time I deleted the api token to fix it and change the password for all cpanel users to the old one(from whmcs billing software). Again here after 2-3 months I have seen the same issue and quickly checked upon the API token in whm and found the same type of reverse_trust api token being generated automatically on all WHM server(currently linked with WHMCS for billing purpose).

  sample: 

  reverse_trust_52b7-c2c3f-475a7-944f-e6a7dae71

   

  0
• 

  Hatrix Hoster

  • October 07, 2025 05:21

  cPRex I wanted to know what is the cause of such ? how should I prevent it in future ?

  I think this reverse_trust thing is related to WHM itself rather than any third-party or attacker intervention.

  0
• 

  cPRex Jurassic Moderator

  • October 07, 2025 07:18

  The only context we use "reverse trust" for is DNS clusters, so I'm not aware of any usage of that term related to WHMCS.  Do you have a DNS cluster in place on that machine?

  0
• 

  Hatrix Hoster

  • October 07, 2025 15:38

  No we don't have anything related to DNS cluster. Its the single node server.

  I am also afraid of this strange/unexpected automated task in WHM.
  
  the whm I am using is not even the root one. Its the reseller privilege WHM account with non-root access. 

  0
• 

  cPRex Jurassic Moderator

  • October 07, 2025 15:40

  I can't say for sure what may be happening here, especially if you don't have root access to the server.  Can you speak with the host or something with root access to see if they may have more ideas about what the cause may be?

  0
• 

  Hatrix Hoster

  • October 07, 2025 15:48

  No no, you get it wrong.
  
  i mean I am not directly using the root account with the WHMCS>server(for safetly purpose).
  I am the WHM administrator myself.I do have root access to the server itself.

  I have round 5 whm reseller account, having 2 with one provider, another 2 with another one provider and one with my own root access.
  
  the action of mass password change for cpanel has found to be performed in all 5 at once.

  0
• 

  cPRex Jurassic Moderator

  • October 07, 2025 15:49

  Could you create a ticket so this can be investigated?  It sounds like there could be a serious security on the machine.

  0

Please sign in to leave a comment.