The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have passwordbased authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize.
This compromise has been in the media lately and discussions can be found at the following locations: