cPanel passwords are changing on their own in multiple VPS accounts

Kevin Arias

• March 10, 2025 14:37

Hello Guys!

I have a VPS on cPanel with multiple user accounts. One of the accounts uploaded a website that was hacked, affecting a couple of additional accounts. A cleanup of the affected files was performed, and with the help of ImunifyAV, all accounts were scanned for additional issues. The cron files of each account were also reviewed. There have been no further virus or hacking alerts for the accounts.

The problem I have now is that after the hack, the account administrators report that their passwords for accessing their cPanel accounts are being changed. The root account in WHM does not have this issue.

In WHM, I have configured access to cPanel to be allowed only from their public IP, but the issue persists.

Could you advise if there is any procedure or anything I can check to determine if there are any traces of the hack still affecting user accounts?

• 

  cPRex Jurassic Moderator

  • March 10, 2025 19:05

  Hey there!  It's impossible to say over a Forums post what could be happening with the system.  I'd recommend trying this command:

  curl -s https://ssp.cpanel.net/run | sh

   

  which is what we run on all machines that we login to through our internal ticket system.  That will check for common compromises.  You could also reach out to your host to see if they offer any security services.

  0
• 

  Kevin Arias

  • March 10, 2025 20:06

  Hello,

  Thanks for your response. I will check using the command you mentioned. I'm also consulting with the hosting provider to see how I can resolve the issue.

  If there are any other options I should consider, that would be helpful. Thanks in advance!

  0

Please sign in to leave a comment.