We were aware of this compromise of Cpanel Support Department earlier this year and we promptly took the recommended precautions but it would appear in the time between this happening, us being informed and us taking the precautions Server 26 has been compromised. This only came to light last night when every php dirven website started throwing errors. We managed to get the server working again and all sites are currently on line.
That said, Cpanel Level III Support have confirmed this is the case and they have confirmed nothing can be done and the server needs a restore. They say there is no way to safely clean this compromise without a server rebuild and server restore.
We sought advice from a third party security expert overnight and he is also of the opinion that a server restore is the only sure way of guaranteeing that this rootkit has been completely removed.
Our data centre staff are already working on the initial steps of this process (deploying a new server) that will not require any downtime. It is unfortunate though that Server 26 will need to be taken off line for a number of hours to complete this restore.
Once we have confirmed all the details we will email all active clients on Server 26 so please look out for an email from us later this morning.
Once the process starts we will post a new announcement here: http://www.bigwetfish.co.uk/whmcs/announcements.php - it would be really helpful to us if clients could refer to this page rather than open support tickets. We promise to update this page every hour once the work starts and more often if we have new information
