mass defacement

Hello!
My name is Alex Bogatu and i am an system engineer. I have in my administration a cPanel server with almost 1300 sites hosted. A couple a days ago this server was the target of an mass defacement attack and there were almost 1000 sites affected. The attacker apparently replaced the content of each site with his own index.html. This attacker name is Islamic Ghost Team and zone-h.com is saying that there were 30000 sites affected in just 3 or 4 days.

The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that. My question is: is there some vulnerability in cPanel not yet made public? Or is there someone who got the same problem. I read on google that this is not the first time those guys crack sites.

I have version 11.36.1 (build 6).

Thanks

 

The attack was a mass defacement. There are no rootkits on the system. I wanted to know if there are vulnerabilities known in the last stable version of cpanel. This attack affected 30000 sites from multiple countries. My opinion is that this attack is an exploit based on a vulnerability in cpanel. I wanted to know if someone else had this problem. I know it was a similar attack in 2011

 

I already done that. I searched every possible log file. There is no trace. But...the fact that he hacked so many sites (almost 1000 just on my server)....is not possible to be a cpanel vulnerability not yet reported?

 

My kernel version is 2.6.32-220.13.1.el6.x86_64 running on Red Hat Enterprise Linux Server release 6.2 (Santiago).

No restore was made recently. The only exploit i know is this one Linux Kernel CVE-2013-2094 Local Privilege Escalation Vulnerability

Thank you