cPanel's latest update (WHM 9.1.0 cPanel 9.1.0-S73) has an exploit that is being used by the t0rnv8 rootkit.

To plug this, go to 'tweak settings' in WHM and turn 'Allow cPanel users to reset their password via email' off -- that is what it is using.

How will you know if you have it?

chkrootkit found infections in ifconfig, login, pstree, /usr/include/file.h and /usr/include/proc.h as well as 3 processes hidden in LKM and suspected showtee activity on my box.

As I am not live yet, I have ordered a reinstall, but if you have this and are feeling froggy, here are instructions to get rid of it:

http://forums.servermatrix.com/viewtopic.html?t=5014

If you don't have it, PLEASE go plug up that exploit.

:)

Edit to add (from cPanel): All builds on all platforms are vulnerable up to and including (9.1.0 build 34), all builds after that have been fixed.

Thanks. Luckily I had that disabled already.

cPanel's latest update (WHM 9.1.0 cPanel 9.1.0-S73) has an exploit that is being used by the t0rnv8 rootkit.[...]

Edit to add (from cPanel): All builds on all platforms are vulnerable up to and including (9.1.0 build 34), all builds after that have been fixed.
Isn't this contradictory?
You mention S73 is vulnerable, and then say 34 and later are not?

Yes, that is interesting isn't it. Seems that even if you have cPanel set for manual updates, they can override that and update you anyway (!!)

At the time I posted that I had already been rooted, had not updated cPanel, and did not know that they forced an update. When I found out, I added the version information.

More info on this can be found here (http://www.webhostingtalk.com/showthread.php?threadid=246788&perpage=15&pagenumber=5)