How to fix a compromised cPanel server / Rooted server
Resolving a compromised cPanel server is quite different to fixing a compromised users account. If you’ve not used cPanel for that long it’s likely you’re assuming you can just change the root password update your software and the problem will be resolved. It won’t.
Over the years there have been many examples of compromised cPanel servers, for example the old cPanel SYM Link problem which allowed users access to other parts of the server. Or what about the time cPanel technical support managed to get hacked themselves. Yes, they actually got hacked! From memory, it was a machine they used to access customer’s servers to resolve problems, it got infected and, in turn that machine then compromised what they say was hundreds of cPanel servers but I think it was thousands of cPanel servers. At one point cPanel technical support where reinstalling servers for license holders all over the place and Unfortunately, in both cases the only way to be sure that the server was secure was for a clean os to be deployed to the server.
So, don’t bother using maldet to scan your server if the root account has been compromised, backup all of the cPanel accounts to an offsite location, format the server and reinstall the software then use RSYNC to move the accounts back to the server for restoration.
If you’re a First2Host customer and have a management plan we can perform a recovery of your server included in your package just contact support and they will arrange this for you.
How was this article?