Skip to main content

cPanel password change

Comments

3 comments

  • cPRex Jurassic Moderator
    Hey there! Have you confirmed in the cPanel access logs that the password is being changed through the end-user interface? Accessing the cPanel >> Password and Security page will show up as an entry like this in the cPanel access log file, /usr/local/cpanel/logs/access_log: x.x.x.x - username [10/03/2023:14:52:15 -0000] "GET /cpsess##########/frontend/jupiter/passwd/index.html HTTP/1.1" 200 0 "https://host.domain.com:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0" "s" "-" 2083
    where "x.x.x.x" is the user's IP that is accessing the server.
    0
  • Stella@webhostingworld
    IPs show up as VPN and also Proxy server IPs
    0
  • cPRex Jurassic Moderator
    If they aren't the IPs that you expect from the end user, it's possible that user's local system has been compromised by a key logger or another similar tool that is allowing the hacker to get the password initially, and then change it in cPanel.
    0

Please sign in to leave a comment.