Normal service has been restored. You may skip ahead to the post announcing this: http://forums.mddhos...ndpost__p__1445
The remainder of this post is being left online for those who are interested. Once again, echo has been successfully restored and all services are back to normal.
Our Echo server was the target of zero-day kernel exploit. What this means in simple terms is that an attacker exploited a flaw in the operating system that is unknown to the operating system developers and as such there is not yet a patch for this issue.
Fortunately this is where our backup system comes into play as we're going to restore the server back 24 hours prior to the attack. The downside to this restoration is that it can easily take 10 to 20 hours for this process to complete. We've already started the restoration process so that we can get things back online as quickly as possible.
We have investigated the attack and determined that all the attacker has done is defaced index files (index.php, index.html, index.htm, etc...). We do not believe the attacker has stolen any data, dumped any databases, or modified any system files however we are going to do a full restore of the system just in case they left a back door into the system that we've not found.
We have taken some pro-active steps to help protect customers on other servers that are unaffected which includes disabling FTP and SSH for all accounts. For anybody on another server wishing to work on their sites we ask that you please use the "File Manager" from within your cPanel. We understand the frustration and trouble this may cause however it's better to have to take a couple of extra steps to work on your site than to face 10 to 20 hours of downtime or worse due to an unpatched exploit.
We always believe in being as open as possible about what is happening and what we're doing to resolve the issue. We do ask that if you have any questions about this issue to please post them in this thread so that we can centralize the disbursement of information to our client base.
We appreciate your understanding and patience in these trying times.
I'm posting this to the original post just to save new visitors to the thread from having to review the entire thread.
We're currently restoring the Operating System on the server back 24 hours prior to the exploit. Once the server OS is restored we're going to then begin restoring customer accounts from the backup system. This method will allow accounts to come online as they are restored instead of all accounts having to wait until the entire process is completed.
We're currently looking at approximately 48 hours for the last account to be restored however accounts will begin coming back online one at a time here within the next few hours.
We have no way of prioritizing which accounts are restored first or last and they will be restored as they are stored into the backup system. If you have any questions, do please read the rest of this thread and feel free to post your questions here.