Root password reset: should I be worried?
I tried to log into WHM on my cloud account / vm as root, and found my current password had stopped working.
I contacted my hosting provider, and was told that the root password they had on file currently was not the one I had used the day before. They gave me a root password from their records and I could log in with that.
I asked them who had reset the password and why, but they said they had no record of it being reset. I asked them to doublecheck, and they told me that it was definitely nobody on their support team that had reset the password.
So I'm a little worried how the password got reset. My host had a record had a record of the correct password so surely that suggests it wasn't reset by a third party?
Is this normal? Should I be concerned?
I've changed the password to a brand-new strong one, but am not quite sure if I can forget it as just one of those things, or if I should be doing anything more.
Nothing obvious appears to have changed on the server and the websites hosted there seem to be behaving normally.
-
Hello :) Are you sure the root account was not locked out by cPhulk brute force detection? You can review /usr/local/cpanel/logs/login_log to see if you notice any particular error messages during the failed login attempts. Thank you. 0 -
I don't think so - my IP address was whitelisted, and is still in the whitelist. I just checked /usr/local/cpanel/logs/login_log - thanks for that suggestion - and I can see my attempts to login on that day, which each say: FAILED LOGIN whostmgrd: user password incorrect None of them mention CpHulk or being locked out, although I can see other attempts to log in from unfamiliar IP addresses at earlier and later dates that have been blocked by CpHulk, so I think if it had been that it would have been in the log. 0 -
You may want to consult with a security specialist or qualified system administrator if you want to have your system investigated to see if it was exploited. There's no way for us to tell you for sure if someone accessed your system. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments