WHM server hacked, lost root access

[linkandzelda]

I have a huge problem. In a nut shell, 2 days ago I noted a strange process going on with httpd, something I never saw before. That then led to me googling it, and OVH came up top with "Examples of a hacked server" So I freaked out, but didn't do anything as the rest of cpanel forums said it wasn't related to hacks.

And here we are, I'm unable to log in to root, as if my pass was changed. I have standard user accounts which have no root access but have SSH access. The server is running CentOS 6.2.

I'm posting here requesting help and advice on what I should do here.

Thanks in advance
Kris

[Irithori]

Contact your ISP, explain the situation and ask them to power down your box.

Then ask for an out-of-band management access and boot e.g. a liveCD.
Better management tools like ILO can do that via RemoteMedia.
Another option would be, if your ISP has the option to boot a rescue system via PXE.

Anyway, once the liveCD or rescue system runs:
Decide, if you want to go for an forensic analysis for e.g. legal actions against the attacker.
If yes: make images of all of your machines disks

Then backup your data, config and logs from the machine.
Scrape the data and config if you want to use it in a new system.

[linkandzelda]

Contact your ISP, explain the situation and ask them to power down your box.

Then ask for an out-of-band management access and boot e.g. a liveCD.
Better management tools like ILO can do that via RemoteMedia.
Another option would be, if your ISP has the option to boot a rescue system via PXE.

Anyway, once the liveCD or rescue system runs:
Decide, if you want to go for an forensic analysis for e.g. legal actions against the attacker.
If yes: make images of all of your machines disks

Then backup your data, config and logs from the machine.
Scrape the data and config if you want to use it in a new system.

Well it's a VPS running on my dedicated Xen server, so I'm not sure they have any method to do it? I'll ask them and see, otherwise I'm not sure what they can do since I was the one that setup everything.

[Irithori]

Ok, even better.
Then you can shutdown the VM yourself.

[linkandzelda]

Ok, even better.
Then you can shutdown the VM yourself.

Ok yes, I can shut it down myself, but then how do I do what I have to do next?.
I'm a little new to this so, sorry for being stupid.

[linkandzelda]

Ok yes, I can shut it down myself, but then how do I do what I have to do next?.
I'm a little new to this so, sorry for being stupid.

Ok, I booted to single user mode and was able to reset my password from there. Now I have root access back, but only for 5-10 mins as it gets changed again right after booting up. I scanned for rootkits and found nothing, and am doing a clamav scan which isnt bringing up much either. Luckily I connected to root SSH terminal right before it got changed, so I have no WHM access but I do have SSH root access until I disconnect.